Need help with hijacked IE home page

  1. 17-06-2004  #1
    Psyber Raven
    Psyber Raven is offline Newbie

    Need help with hijacked IE home page

    I've had the IE on my laptop (Win XP) hijacked by the bug that automatically switches the default homepage to hp.uti/solangas.com/other search-all URL

    Have already run:
    AdAware (which found basically nothing wrong)
    CWShredder (which found a few things and fixed them)
    HijackThis (which found several other things that look suspicious)

    Here's a copy of my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:01 AM, on 6/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\HPConfig.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Download Utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\u4b5ysjhe9lh3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AF23DBCA-F066-4073-BFB9-BBF263FC058F}: NameServer = 63.93.64.20 63.93.64.21


    From reading other posts, I've got a pretty good idea of which of the entries are the offending ones, but I don't want to go and do anything stupid and delete something that I might actually need. If one of the experts out there could give me some guidance at this point, I'd much appreciate it.

    Thanks!
  2. 19-06-2004  #2
    Nirvana
    Nirvana is offline Elite Member
    Download, update and run
    CWShredder
    Click Fix, don't just scan. Let it fix everything it asks about.

    Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\u4b5ysjhe9lh3.dll

    O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Global Startup: winlogin.exe

    O15 - Trusted Zone: *.greg-search.com

    Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then find and delete the following:

    C:\WINDOWS\System32\u4b5ysjhe9lh3.dll <-------- Delete this file.
    C:\WINDOWS\System32\sysstartup.exe <-------- Delete this file.

    Now do a search for winlogin.exe then right-click and delete it.

    Reboot, then post a fresh HijackThis log.
  3. 21-06-2004  #3
    Psyber Raven
    Psyber Raven is offline Newbie
    Thanks for your help, Nirvana. Actually, I'd already had CWShredder fix what it could, and then went further with HijackThis, checking off the R0, 02, and 015 entries and fixing them, before I got your reply. That seemed to be all it took to get rid of the hijacker (I also ran Norton and found a trojan virus, which I quarantined). I have had no problems since.

    However, I did follow the rest of your instructions once I got them. The only thing that didn't work involved "winlogin.exe". When I asked HJT to fix it, it gave me a message that it couldn't, and suggested I use the Task Mgr to do it manually; then after I re-booted and did a search, the only thing found was one of the backup files created by HJT. As you can see below, the entry is still in the HJT log, however, I've not noticed any problems with the computer since the original HJT fix/virus zap last week.

    For the record, here's the most recent HJT log, and thanks again for your help:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:58:28 AM, on 6/21/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\HPConfig.exe
    C:\WINDOWS\system32\RadioSvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Download Utilities\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
  4. 21-06-2004  #4
    Nirvana
    Nirvana is offline Elite Member
    Save 20% on AVG Internet Security 2012 Suite!
    Go to Windows Update and scan then download ALL of the critical updates.
+ Reply to Thread
« Help with reading Hijackthis file | CWS variant - need expert-- »