My I.E default search page change to http://kinklist.ccbest search engine…
How can i fiz that???
i want to use the default again… http://ie.search.msn…
i use the ad-aware, spybot, regclean…but this S… always back…
Thats a Coolwebsearch Hijacker. You could try CWshredder or post an Hijackthis log:
Hi there…
Thanks for your help, but the CWshredder dont work… the THING still comin back…
here is the hijackthis LOG…
Scan saved at 18:31:16, on 20/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\FVAL\LembrIt!\LembrIt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\twain_32\AVISION\AV260C\scaner32.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cowboy7
O17 - HKLM\System\CCS\Services\Tcpip..{3B99D0EB-1F2B-44C6-816B-4C9605EC0326}: NameServer = 200.204.0.10 200.204.0.138
O17 - HKLM\System\CS1\Services\Tcpip..{3B99D0EB-1F2B-44C6-816B-4C9605EC0326}: NameServer = 200.204.0.10 200.204.0.138
Sorry about my poor english!
greetings from Brazil!
:-\
Hm, your Hijackthis log is not complete. Please try to generate a Log in windows save mode. You could also give SpybotSD and Adaware a chance.
Thank´s for your help pal…
How do i change to safe mode in Win XP??
Thank´s again!
Please read this manual:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Hi there…
now i save the logfile in safe mode:
Logfile of HijackThis v1.97.7
Scan saved at 10:29:26, on 21/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cowboy\Meus documentos\Programas\remove toolz\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cowboy7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: LembrIt.lnk = C:\Arquivos de programas\FVAL\LembrIt!\LembrIt.exe
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Intresting thing, it still does not seem to be complete!?
here’s a regfile that will restore the Windows defaults for practically
everything Search-related
http://www.spywareinfo.com/downloads/tools/IEFIX.reg
Close all browser windows, double click the file and answer ‘yes’ when asked to merge.
Restart the computer, and test the browser.
Thank´s pal!!!
Hi,
I Also had this thing changing my home page settings in Internet Explorer. I used Startuplist.exe to generate a list of programs which are ran at the startup of the Windows.
On the list there was a section:
Autorun entries from Registry:
…
sys = regedit -s sys.reg
I checked up that sys.reg file and there was that linklist.cc coded. I removed the file and now my IE settings survive reboot.
With regards
Peltsi
You can also try this if the other methods don’t work:
I got it from:
http://www.spywareinfo.com/~merijn/
March 24, 2004:
[Update] If your browser has been hijacked to drxcount.biz, real-yellow-page.com, list2004.com or linklist.cc:
We are working on a fix for this one and drawing near to an automated solution. This is by far the most sophisticated CWS variant seen to date, and it will take some time before CWShredder will be able to remove it.
The following updated manual fix should work:
Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it Look for a line with this file, size and beginning to it. The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll
This part indicates the bad file:
61c00000 61440
It will always start with that header.
Write down the filename behind it.
Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip and run it.
Don’t click any of the buttons though, instead please click on the Action menu and choose “Delete on Reboot”.
On the next screen, click on the File menu and choose “Add File”. The file you copied earlier should now show up in the window. If that’s successful, choose the Action menu and select “Process and Reboot”. You’ll be prompted to reboot, do so.
After rebooting, make sure the file is gone.
If this doesn’t work, search on the SpywareInfo forums for topics posted by users with the same problem and read those. If none of the solutions you find work, make a new thread and ask for help.
Worked for me, hope it works for others, good luck.
Windows 98: Click START, click RUN, then type “Msconfig”
Click the STARTUP tab
Go down the list and unckeck the box that says
“sys = regedit -s sys.reg”
Now reboot and you should be back to normal.
Windows 2000/XP: there is no Msconfig utility but you can download it
from the internet – just go to Google and type “Msconfig.”
Good luck
Victor
I was having the same problem so I did what you said. I found this:
ctl.dll 61c00000 61440 c:\windows\system32\ctl.dll
but when I went to look for the file, it doesn’t exist anywhere on my system, but the linklist.cc is still my search url. I tried the CWShredder and other tools by that same author and seemed to clear out all my hijacks except this one! Any other ideas?
Hi,
-Please configure Explorer to show all files/folders via extras/view-> foldr options
-did you try the killbox approach above ?
-please post a hijackthis-log
I do have Explorer set to view all files, I looked manually and used the search to find the file and came up short both ways. So obviously I could not killbox a file I couldn’t find
Here is my HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 11:13:09 AM, on 4/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\AIM\aim.exe
C:\Warez\Misc\KillBox\KillBox.exe
C:\Program Files\Macromedia\HomeSite 5\HomeSite5.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Warez\Misc\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.muchthesame.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [LyraHD2TrayApp] “C:\Program Files\Lyra Jukebox\LyraHD2TrayApp\LYRAHD2TrayApp.exe”
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM..\Run: [LyraHDProfiler] “C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe”
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.3886342593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Hi,
is R1 your desired startpage ?
have you tried fixing O14 ?
do you really need googletoolbar ?
have you scanned&fixed in SafeMode TWICE with
ad-aware, spybot and cwshredder AFTER updating them ?
if still no results, disable everything you know in startup via msconfig, and then come back here with a new HJT-Log (it’s a bit too cluttere for proper analysis)
Alright I did what you said. The first time in safe mode, it did find CWS.Msconfig and Spybot found some tracking cookies. Subsequent checks in safe and normal mode were clean. Here is a selective HijackThis log (I removed anything I specifically knew was okay):
Logfile of HijackThis v1.97.7
Scan saved at 11:04:54 PM, on 4/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [CARPService] carpserv.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
One thing that’s interesting is that i did try to completely uninstall quicktime but i still notice some stuff in the O16’s, though I don’t think those are my problem.
After all this, I try going to a site that doesn’t exist and i still end up at http://linklist.cc/index.php?aid=20038
I ran pv.exe and still see this:
ctl.dll 61c00000 61440 c:\windows\system32\ctl.dll
Which is supposedly something related to CWS but this file DOES NOT exist on my system as far as I can tell. But if it doesn’t exist, how can it be in the log?
either you haven’t enabled Explorer to really show you all files (maybe post a screenshot of the setting syou have there ?),
or maybe it’s only created temporarily ?
are you sure you followed all the steps in the PV-procedure ? have you TRIED going through the killbox procedure, even though you can’t see the file in explorer ?
Boot the PC with Win-XP-CD, change to console and navigate with Dir & CD to c:\windows\system32:
try DIR, ATTRIB and DEL on the ctl.dll
also please post the SCAN-log of cwshredder here, and the contents of your host(s)/lmhost(s) files
Could it be hidden in a restore point backup? :-\
@GP:
have you tried this ?