1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this question

Discussion in 'Virus & Other Malware Removal' started by lisaa7002, Oct 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lisaa7002

    lisaa7002 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    1,258
    I got this line on my hijack this log & was wondering what it was. I had never seen this before, and recently have been having probems- most of which are gone, but things still aren't "quite right".

    "Default URLSearchHook is missing."

    Any ideas? Thanks guys...:confused:
     
  2. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    R3 is the URLSearchHook. A URLSearchHook is an object which has attached itself to the URLSearcHook values. When you type an address WITHOUT the known prefixes (http://, ftp:// etc.) then Windows will look for that address using the URLSearcHook.

    In an event of it being hijacked, then when you type say..."aol.com", then you will redirected to the hijackers page because the file has the code in it to send all address without the prefixes to that page.

    FYI, there should be only 1 URLSearchHook, when HT reports about this, then it means there are 2 (or more),

    Sometimes you may automatically recongize it as a "bad" site.

    This can be fixed: R3 - Default URLSearchHook is missing
     
  3. lisaa7002

    lisaa7002 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    1,258
    Thanks so much! I knew Something was wrong!!!
     
  4. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    Do this in order:

    1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.


    2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button and OK and then click the Immunize button in the right pane.


    3) Run one of the following free Anti-Virus programs here:

    http://housecall.trendmicro.com - I found this to work the best.

    http://www.pandasoftware.com/activescan

    http://www.ravantivirus.com/scan


    4) Read http://www.tomcoyote.org/hjt/ then download and install HiJackThis. Open up HiJackThis and click "Scan". After you do so, click "Save Log" and save it to your desktop. Exit HiJackThis and open the log you created on your desktop and copy every thing in the log and post it here.
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    lisaa7002 ...

    Not knowing what you already have installed on your computer, please forgive me in advance if some of these suggestions duplicate what you already have.

    Download the free Ad-Aware 6 Personal Build 181 and have it do a thorough cleaning of your unwanted files: http://www.lavasoft.de/support/download/

    Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

    Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

    Then see that you have these options checked:
    Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-Aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot

    Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of sites to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  6. lisaa7002

    lisaa7002 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    1,258
    I have Ad-Aware, Spybot, & Hijack this already. I had all the tweaks alredy , but was running wrong kind of scan (not the tweaked one) I ran it tweaked & it brought up 54 items. Only three were something other than tracking cookies. I got rid of all of it.

    Oh & in my internet connections it has down some really long password (not mine) I keep deleting it , but it keeps comming back. I have been connectin all right , but it's in there & I was wondering if it's a problem?

    My internet security properties was set to advanced. Should I set it back to the recommended setting. It was set to " no encription allowed. sysetm shut down if any encription is found" - I don't know if I set it there when Dell was helping me out or if my problem set it to that - Any ideas?

    Here is my hijack log. Thanks guys.
    Logfile of HijackThis v1.97.2
    Scan saved at 1:58:14 PM, on 10/16/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02E1ECCB-BCFC-4AA7-AF0A-454B590BB368}: NameServer = 207.69.188.185 207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{02E1ECCB-BCFC-4AA7-AF0A-454B590BB368}: NameServer = 207.69.188.185 207.69.188.186
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Lisa...
    "Fix" these with HijackThis:
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...porter.cab?RND=

    Re-boot and delete:
    C:\PROGRAM FILES\AWS [FOLDER]

    ;)
     
  8. lisaa7002

    lisaa7002 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    1,258
    Hi Steve.

    Thanks for the tip, but hubby would have a cow if I got rid of his weather bug!! It doesn't seem to give me any problems. I get Very Few pop ups & run my ad-aware & spybot regularly.

    I think I picked up my problem on that " How much are you worth" thread.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,192
    First Name:
    Derek
    Lisaa

    don't worry about the long password in Xp

    It's an XP security measure

    waht bhappens is that XP adds spurious extra dots to the password field so no-one looking at it can guess what your password is by the number of dots.

    it does only use the correct password so don't keep deleting it just press enter and it will all be ok
     
  10. lisaa7002

    lisaa7002 Thread Starter

    Joined:
    Jul 14, 2003
    Messages:
    1,258
    Ohhhh ok! Wow that's smart of them to do that! I would have never thought of that.

    I think my problems may actually be over. I thank all of you that lent me a hand! :D:D:D
     
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Good to hear ... (y)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172246

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice