Author Topic: linklist.cc default I.E serach changed (Read 35295 times)

AOrlando85 · « **Reply #30 on:** April 08, 2004, 12:52:31 AM »

i fixed the ones you have listed here but it still doesnt let me get onto altavista, what can i do? i dont know why there is a TEMP-folder in the autostart...what should i do about that?

AOrlando85 · « **Reply #31 on:** April 08, 2004, 03:58:39 AM »

sorry, it did fix everything. i just had to clear my history and all for it to take effect. Thanks a lot for the help...i really appreciate it! What can i do about the Temp-folder thats in my autostart? Thanks again.

cowboy7 · « **Reply #32 on:** April 08, 2004, 04:01:32 AM »

Here is another log file...
i already delete the DLL and change all rer key, but this shit still there...

Logfile of HijackThis v1.97.7
Scan saved at 22:12:56, on 07/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nnfm.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8AA5CBB2-4FB1-4BE6-B2A3-2807B6F70658} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: (no name) - {C6B3FD30-E854-4612-9DA4-31BB2320559D} - (no file)
O2 - BHO: (no name) - {D8DA2AF4-3023-49DE-9340-D77113640146} - C:\WINDOWS\System32\nnfm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: avast.lnk = C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Dienson · « **Reply #33 on:** April 08, 2004, 08:24:34 PM »

Haha.. i got rid of this fucking problem.
I had both linklist.cc and searchx.cc

What to do?

download this HijackThis: http://tomcoyote.com/hjt/
Run the exe file
Click the "Scan" button
Now you'll see a list of items that are infected
Go through the whole list and delete each file in the specified location (Info on selected item)

When you delete all those items it will be removed.

Gunnerpunk · « **Reply #34 on:** April 08, 2004, 08:25:04 PM »

I'm having a similar problem as the above.. I had everything cleaned but this has just started and I can't get the registry keys to stay deleted, as soon as i open the browser they appear again and there is a search page even though it says about:blank in the address.

Logfile of HijackThis v1.97.7
Scan saved at 1:18:47 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kemffdf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9F5D6330-B43A-4629-BB5A-AB0A08B98CA3} - C:\WINDOWS\System32\kemffdf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.3886342593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

jm0y · « **Reply #35 on:** April 09, 2004, 04:52:07 PM »

Gunnerpunk, I've been researching this for the past couple of days, and have been unable to remove it from my machine! The newest (I think built yesterday) version of CWShredder can identify and remove this, but it seems to somehow still re-install itself on reboot. CWShredder classifies this as CWS.SearchX -- the search page that comes up is SearchX, right?

That "kemffdf.dll" stuff in your HJT log is the problem, and the filename for the dll is randomly generated every time the thing re-installs itself.

Can't really help you out to much except to say that I'm in the same boat, and it seems like the people who make CWShredder are on it... check out http://www.spywareinfo.com/~merijn/cwschronicles.html#searchx

Nick

Rays160 · « **Reply #36 on:** June 01, 2004, 10:43:06 PM »

I found a fix for this. In the System 32 folder (or just run a search), there is a Sys.reg file that contains urls like http://%73%6C%74%73%79%79%2E%74%2E%72%61%63%6B%2E%63%63/%68%70%2E%70%68%70. Delete this and uncheck the regedit -s sys.reg in MSCONFIG. This gets rid of the unwanted bug.

Ray

Gunnerpunk · « **Reply #37 on:** June 01, 2004, 10:51:20 PM »

I searched for *.reg in the system but don't see any that contain "http://" =/

I also don't know where to look to uncheck the regedit thing in MSCONFIG.

I'm dying to get this off my system, it's creating popups when i load AIM now too.

DavidR · « **Reply #38 on:** June 02, 2004, 12:39:43 AM »

Quote from: Gunnerpunk on June 01, 2004, 10:51:20 PM

I also don't know where to look to uncheck the regedit thing in MSCONFIG.

I'm dying to get this off my system, it's creating popups when i load AIM now too.

From windows, click Start, then Run and type msconfig. When msconfig opens, click the Startup Tab and look for any program that is set to run at startup that may be unknoown and causing this problem.

Having identified it untick the box to the left of the suspect program (if there is more than one don't go mad only do one at a time), run cwshredder again and reboot.

Hopefully this will take you a step further.

David

raman · « **Reply #39 on:** June 02, 2004, 09:46:52 AM »

You will not get that hijacker that way, it is a "bit" different.

If you have the luck, this cleaner (new version) will be able to fix that:

ftp://ftp.kaspersky.com/utils/clrav/clrav.com

Or read this carefully:

http://www.wilderssecurity.com/showpost.php?s=ae2da6f337bf3d1d7c69071d73c18e65&p=162440&postcount=4

Gunnerpunk · « **Reply #40 on:** June 02, 2004, 11:01:12 PM »

Well so far so good.. I went through the second link you posted and did what it said, that was at 10am and it's now 4pm and I haven't had it come back.. usually it comes back after a couple hours!

I'll post here again if it comes back.. but as of right now I confirm that it works!

Author Topic: linklist.cc default I.E serach changed (Read 35295 times)

AOrlando85

Re:linklist.cc default I.E serach changed

AOrlando85

Re:linklist.cc default I.E serach changed

cowboy7

Re:linklist.cc default I.E serach changed

Dienson

Re:linklist.cc default I.E serach changed

Gunnerpunk

Re:linklist.cc default I.E serach changed

jm0y

Re:linklist.cc default I.E serach changed

Rays160

Re:linklist.cc default I.E serach changed

Gunnerpunk

Re:linklist.cc default I.E serach changed

DavidR

Re:linklist.cc default I.E serach changed

raman

Re:linklist.cc default I.E serach changed

Gunnerpunk

Re:linklist.cc default I.E serach changed