Go Back   Cyber Tech Help Support Forums > Software > Internet / Browsers

Notices

Internet / Browsers Use this board for problem solving and the discussion of Internet and Browser issues

Reply
 
Topic Tools
  #1  
Old April 13th, 2004, 09:42 PM
jony_05 jony_05 is offline
New Member
 
Join Date: Jan 2004
Posts: 20
Talking Must get tired of this but anyways.........

Heres my Hijack log, internets doing stupid stuff. i run adaware and shredder but it keeps coming back

Logfile of HijackThis v1.97.7
Scan saved at 4:42:55 PM, on 13/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\JONBAR~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {81E106F5-FBD9-4363-93C3-9518D531C746} - C:\WINDOWS\System32\ggnh.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FF6EEA-FE6B-4674-B128-356C7FB537D4}: NameServer = 206.47.244.112 206.47.244.12
Reply With Quote
  #2  
Old April 14th, 2004, 09:31 AM
Steven.Bentley Steven.Bentley is offline
CTH Subscriber
 
Join Date: Nov 2000
Location: West Yorkshire, UK
Age: 44
Posts: 3,840
Hi Jony

These can certainly be fixed in Hijack This:

Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ggnh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
I'm deeply suspicious about this one but I'd like to get a second opinion before telling you to remove it

Quote:
O2 - BHO: (no name) - {81E106F5-FBD9-4363-93C3-9518D531C746} - C:\WINDOWS\System32\ggnh.dll
Other than that it looks fairly clean, are you getting any problems other than the search bar being hijacked?
Reply With Quote
  #3  
Old April 15th, 2004, 03:19 AM
jony_05 jony_05 is offline
New Member
 
Join Date: Jan 2004
Posts: 20
Thumbs down well....

My home page is always cool search or watever, even when i am not connected to the internet and all Tempory Internet Files were are deleted, i click on explorer and cool search is there, so from what i can tell its on my computer and it always comes back. And after i delete all the internet files 2 sites are always left behind, like a porn site and wallpaper site or something. Guees my brother wont be using my computer anymore.... anyway thanks for the help n' all, its greatly regonized.
Reply With Quote
  #4  
Old April 15th, 2004, 08:23 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,300
Hi jony_05

It is a Cool Web Search hijack.
And the file queried by Steven.Bentley is part of it.

Can you download the latest CWShredder from:
http://209.133.47.200/~merijn/files/CWShredder.exe

Open CWShredder and click on the Scan and copy / paste the results back to this thread ,please.

Then click on the Fix button to find and fix any problems.

How to stop CWS infection...read the information when you click "Next" at the end of running CWShredder.......Or you will be reinfected

Reboot Computer

Post back a new HijackThis log as soon as it reappears, please.

It may be a hard one to remove.

Cheers
Reply With Quote
  #5  
Old April 15th, 2004, 11:20 AM
Steven.Bentley Steven.Bentley is offline
CTH Subscriber
 
Join Date: Nov 2000
Location: West Yorkshire, UK
Age: 44
Posts: 3,840
Thanks Mike
Reply With Quote
  #6  
Old April 15th, 2004, 09:58 PM
jony_05 jony_05 is offline
New Member
 
Join Date: Jan 2004
Posts: 20
Lightbulb here the shredder thingy

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (786 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (250 bytes, A)

- END OF REPORT -
Reply With Quote
  #7  
Old April 15th, 2004, 10:05 PM
jony_05 jony_05 is offline
New Member
 
Join Date: Jan 2004
Posts: 20
Cool and here the hijack this

Logfile of HijackThis v1.97.7
Scan saved at 5:02:10 PM, on 15/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\JONBAR~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

things are workin better but those 2 websites still come up, but the coolsearch is done for. Thanks for the help, and if you have any idea how to get those web sites permenetly deleted that'd be excellent. thanks agin
Reply With Quote
  #8  
Old April 16th, 2004, 06:37 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,300
Hi jony_05,

Close all browser windows
and have HujackThis FIX the below:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Reboot computer.

re:"but those 2 websites still come up,"
If you mean files in Favorites folder wont delete,.......try Right-clicking the Fav`s folder and remove "Read-only",...then try a delete
OR
navigate to Fav`s folder via command prompt and delete fitles .

Cheers
Reply With Quote
  #9  
Old April 16th, 2004, 10:38 PM
jony_05 jony_05 is offline
New Member
 
Join Date: Jan 2004
Posts: 20
Smile Thank-yee

Thanks for all the help everybody, it helped me alot.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Getting tired of it baniju8v Gaming 3 May 30th, 2020 05:53 AM
tired of being stupid please help nursey196 Windows 98 5 June 25th, 2006 11:51 PM
tired of scheduling r0ck3r Linux 4 June 22nd, 2006 03:54 PM
Please help...I'm tired of looking! mizred@cox.net Applications 1 September 27th, 2004 09:39 PM


All times are GMT +1. The time now is 07:23 AM.