Author Topic: linklist.cc default I.E serach changed  (Read 35174 times)

0 Members and 1 Guest are viewing this topic.

cowboy7

  • Guest
linklist.cc default I.E serach changed
« on: March 20, 2004, 09:12:25 AM »
 >:( My I.E default search page change to http://kinklist.ccbest search engine....
How can i fiz that???
i want to use the default again... http://ie.search.msn...
i use the ad-aware, spybot, regclean....but this S... always back...

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:linklist.cc default I.E serach changed
« Reply #1 on: March 20, 2004, 12:25:02 PM »
Thats a Coolwebsearch Hijacker. You could try CWshredder or post an Hijackthis log:

http://spywareinfo.com/~merijn/downloads.html
MfG Ralf

cowboy7

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #2 on: March 20, 2004, 10:36:11 PM »
Hi there...
Thanks for your help, but the CWshredder dont work.... the THING still comin back...

here is the hijackthis LOG...

Scan saved at 18:31:16, on 20/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\FVAL\LembrIt!\LembrIt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\twain_32\AVISION\AV260C\scaner32.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cowboy7
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B99D0EB-1F2B-44C6-816B-4C9605EC0326}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B99D0EB-1F2B-44C6-816B-4C9605EC0326}: NameServer = 200.204.0.10 200.204.0.138

Sorry about my poor english!

greetings from Brazil!

 :-\

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:linklist.cc default I.E serach changed
« Reply #3 on: March 21, 2004, 08:00:24 AM »
Hm, your Hijackthis log is not complete. Please try to generate a Log in windows save mode. You could also give SpybotSD and Adaware a chance.
MfG Ralf

cowboy7

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #4 on: March 21, 2004, 02:09:11 PM »
Thank´s for your help pal...
How do i change to safe mode in Win XP??

Thank´s again!


Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
MfG Ralf

cowboy7

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #6 on: March 21, 2004, 02:59:38 PM »
Hi there...
now i save the logfile in safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 10:29:26, on 21/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cowboy7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: LembrIt.lnk = C:\Arquivos de programas\FVAL\LembrIt!\LembrIt.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:linklist.cc default I.E serach changed
« Reply #7 on: March 21, 2004, 04:25:37 PM »
Intresting thing, it still does not seem to be complete!?

here's a regfile that will restore the Windows defaults for practically
everything Search-related
http://www.spywareinfo.com/downloads/tools/IEFIX.reg
Close all browser windows, double click the file and answer 'yes' when asked to merge.
Restart the computer, and test the browser.
MfG Ralf

cowboy7

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #8 on: March 21, 2004, 11:00:54 PM »
Thank´s pal!!!

Peltsi

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #9 on: March 29, 2004, 07:13:53 AM »
Hi,

I Also had this thing changing my home page settings in Internet Explorer.  I used Startuplist.exe to generate a list of programs which are ran at the startup of the Windows.

On the list there was a section:

Autorun entries from Registry:
...
sys = regedit -s sys.reg

I checked up that sys.reg file and there was that linklist.cc coded. I removed the file and now my IE settings survive reboot.

With regards
Peltsi

woovic

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #10 on: March 30, 2004, 07:28:54 AM »
You can also try this if the other methods don't work:

I got it from:
http://www.spywareinfo.com/~merijn/

--------------------------------------------------------------
March 24, 2004:
[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com, list2004.com or linklist.cc:
We are working on a fix for this one and drawing near to an automated solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it.

The following *updated* manual fix should work:
Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it Look for a line with this file, size and beginning to it. The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.
Write down the filename behind it.

Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip and run it.
Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot".
On the next screen, click on the File menu and choose "Add File". The file you copied earlier should now show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.
After rebooting, make sure the file is gone.
If this doesn't work, search on the SpywareInfo forums for topics posted by users with the same problem and read those. If none of the solutions you find work, make a new thread and ask for help.
-----------------------------------------------------

Worked for me, hope it works for others, good luck.
« Last Edit: March 30, 2004, 07:30:17 AM by woovic »

victor7

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #11 on: March 31, 2004, 02:34:20 AM »
Windows 98: Click START, click RUN, then type "Msconfig"

Click the STARTUP tab

Go down the list and unckeck the box that says
            "sys = regedit -s sys.reg"  

Now reboot and you should be back to normal.

Windows 2000/XP: there is no Msconfig utility but you can download it
from the internet -- just go to Google and type "Msconfig."

Good luck
Victor  

Gunnerpunk

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #12 on: March 31, 2004, 08:42:47 PM »
it. The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.
Write down the filename behind it.

I was having the same problem so I did what you said.  I found this:

ctl.dll         61c00000    61440 c:\windows\system32\ctl.dll

but when I went to look for the file, it doesn't exist anywhere on my system, but the linklist.cc is still my search url.  I tried the CWShredder and other tools by that same author and seemed to clear out all my hijacks except this one!  Any other ideas?

whocares

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #13 on: April 01, 2004, 09:03:17 AM »
c:\windows\system32\ctl.dll

but when I went to look for the file, it doesn't exist anywhere on my system,

Hi,
-Please configure Explorer to show all files/folders via extras/view-> foldr options
-did you try the killbox approach above ?
-please post a hijackthis-log
 ;)

Gunnerpunk

  • Guest
Re:linklist.cc default I.E serach changed
« Reply #14 on: April 01, 2004, 07:17:37 PM »
I do have Explorer set to view all files, I looked manually and used the search to find the file and came up short both ways.  So obviously I could not killbox a file I couldn't find  ;)

Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:13:09 AM, on 4/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\AIM\aim.exe
C:\Warez\Misc\KillBox\KillBox.exe
C:\Program Files\Macromedia\HomeSite 5\HomeSite5.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Warez\Misc\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.muchthesame.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Lyra Jukebox\LyraHD2TrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.3886342593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab