linklist.cc default I.E serach changed

[whocares]

Hi,

is R1 your desired startpage ?
have you tried fixing O14 ?
do you really need googletoolbar ?


have you scanned&fixed in SafeMode TWICE with
ad-aware, spybot and cwshredder AFTER updating them ?

if still no results, disable everything you know in startup via msconfig, and then come back here with a new HJT-Log (it's a bit too cluttere for proper analysis)

[Gunnerpunk]

Alright I did what you said.  The first time in safe mode, it did find CWS.Msconfig and Spybot found some tracking cookies.  Subsequent checks in safe and normal mode were clean.  Here is a selective HijackThis log (I removed anything I specifically knew was okay):

Logfile of HijackThis v1.97.7
Scan saved at 11:04:54 PM, on 4/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

One thing that's interesting is that i did try to completely uninstall quicktime but i still notice some stuff in the O16's, though I don't think those are my problem.

After all this, I try going to a site that doesn't exist and i still end up at http://linklist.cc/index.php?aid=20038

I ran pv.exe and still see this:

ctl.dll         61c00000    61440 c:\windows\system32\ctl.dll

Which is supposedly something related to CWS but this file DOES NOT exist on my system as far as I can tell.  But if it doesn't exist, how can it be in the log?

[whocares]

ctl.dll         61c00000    61440 c:\windows\system32\ctl.dll

Which is supposedly something related to CWS but this file DOES NOT exist on my system as far as I can tell.

either you haven't enabled Explorer to really show you all files (maybe post a screenshot of the setting syou have there ?),
or maybe it's only created temporarily ?

are you sure you followed all the steps in the PV-procedure ? have you TRIED going through the killbox procedure, even though you can't see the file in explorer ?


Boot the PC with Win-XP-CD, change to console and navigate with Dir & CD to c:\windows\system32:
try DIR, ATTRIB and DEL on the ctl.dll

also please post the SCAN-log of cwshredder here, and the contents of your host(s)/lmhost(s) files

[galooma]

Could it be hidden in a restore point backup?  

[whocares]

@GP:

have you tried this ?

here's a regfile that will restore the Windows defaults for practically
everything Search-related
http://www.spywareinfo.com/downloads/tools/IEFIX.reg
Close all browser windows, double click the file and answer 'yes' when asked to merge.
Restart the computer, and test the browser.

[Gunnerpunk]

Attached are my explorer settings.

I did everything you both suggested, with no new results.  

When I go to a page that does not exist, i see it trying to go to the correct microsoft search page for a second or two, then it says it's going to about:blank, and then the linklist page pops up again.

I found hosts and lmhosts.sam in the system32/drivers/etc folder, both had no entries in them. (I did find a hosts.bak that had some entries to various malicious hosts but i'm sure this was created by one of the programs i've been using to clear this stuff up).

Is there any other way that a browser can be tricked into redirecting somewhere else?  Because as far as I can tell it's not a problem of not knowing what search page to use, it just the real search page is somehow resolving to linklist.

Thanks for all your help so far, i've gotten rid of a good deal of stuff and this is not the end of the world, but if i'm having the problem i'm sure many others are as well!

[whocares]

Well good luck,

ps: Cwshredder just brought out a new version, maybe this will work ?
but afaik, they are still working on the linklist.cc problem themselves, so don't lose hope

[cowboy7]

I still having trouble with this shit!!!!
do everything but linklist.cc always back!!!!

Ahhhhhhhhhhhhhhhhh!!!

i cant format my computer right now!!!!

Jesus... how can i get rid of this!!!???

[Jima]

I've had problems with linklist.cc continually grabbing my home page, no matter how often I set it where I want.
Now, the sob has glommed on to my email reply, with the whole search page sort of attached to the message.  What a pain.  Using a brand new xp, will try the msconfig.

[AOrlando85]

hi, i need helpwith my computer...i just recently got rid of the linklist.cc thing that changes your homepage....now when i try to access altavista.com, it redirects me to this thing called BEST WEB SEARCH. what can i do to get rid of this? i downloaded spybot s&d and it stopped it from redirecting me on msn and google but now altavista is screwed up. anythingwill help....Thanks

[raman]

Is your Spybot/Adawrare up to date? Create a Hijackthis log and see if there is something displayed starting with "O1", if so fix it, if not, please post your log to the forum.

[AOrlando85]

my spybot should be up to date, i just downloaded it yesterday. how do i create a Hijackthis log? sorry i dont really know a whole lot about computers.

[raman]

You should use the build-in updater from Spybot.

Hijackthis? Read this: http://tomcoyote.com/hjt/

[AOrlando85]

ok...here is my Hijackthis log.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\INS3.TMP\DLGLI.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AcademicPlanet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.250.170.70 verisign.com
O1 - Hosts: 66.250.170.70 www.altavista.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins4.TMP\DLGLI.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMail (HKCU)
O9 - Extra button: PageMagic (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38020.5900810185
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

[whocares]

a)
O1 - Hosts: 66.250.170.70 verisign.com
O1 - Hosts: 66.250.170.70 www.altavista.com
O4 - HKLM\..\Run: [sys] regedit -s sys.reg

b)
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins4.TMP\DLGLI.EXE

fix a)
for a start
I don't know about the hpfsched in the INI-file, but this could be alright, try google

b) -> why is a programm in TEMP-folder in the auotstart ?