Search Home Page Virus

Alright, now, after I run CWShredder, the damn thing keeps coming back. Resilient son of a gun ain’t it? This is what CWShredder found on my system:

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://C:\WINDOWS\System32\lnk.dll/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (26759 bytes, R)
Shell Registry value: HKLM..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (682 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

  • END OF REPORT -

Now, after I fix this, the thing comes back EVERY TIME at the EXACT SAME HOUR. So now what do I do?

Seems to be startpage.fw… Please use this scanner to see, how many files are infected and where they are.(Systemrestorepoints!)

ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Please scann your PC in safe mode

Don’t wanna sound like an idiot or anything, but how would I go about doing that?

Start the PC in safe mode?

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

That file won’t download for some reason.

Hm, try to download it by yourself:

ftp://ftp.microworldsystems.com/download/tools

What exactly does this program do?

It is an other Virus Scanner which is using the Kaspersky engine, but the more important thing is, that it uses Kaspersky Adware/Spyware/Hijacker Database. So it should find a bit more of this kind of Malware.

Edit: or post a hijackthis log here in this forum.

how to do it? = http://tomcoyote.com/hjt/

Alright, I did the searches, I removed the files and the reg entries, but the virus keeps coming back around 1:30 AM EST everynight. I thought it was gone. Anyone know what else might be going on here?

Hi,

disable System RESTORE before continuing…

This might also help:

install & update spybot, ad-aware and cwshredder, if not already done so…
reboot in SafeMode (F8-Boot) and scan and fix TWICE with each programm, ALSO run MWTI/KAV again in SafeMode

if you still can’t remove it, you should post a logfile of Hijackthis here

see www.lurkhere.com ->nicefiles and www.lavasoft.de

MAybe this apply for u2:

http://computercops.biz/modules.php?name=Forums&file=viewtopic&p=133970

Further Details and Links via the board search above

**

When I run MWTI/KAV in safemode, it doesn’t even detect the problems. Someone told me about a program called aida32. Anyone know if it helps with this problem?

EDIT: Would this problem be resolved if I updated Internet Explorer or removed it completely? Like, what if I uninstalled IE and installed a different web browser such as Firefox Explorer. Do you think that would remove the problem?

Hi,

  • aida is a system diagnostic Tool more designed for hardware/driver issues

  • when using a different secure Browser, e.g. Opera or Mozilla, you wouldn’t experience the startpage problems, but:

you should always keep Windows updated, and IE, too!!
because IE is so tightly integrated into windows that most security holes in it will influence Windows security on the whole

Plus you don’t know what else was changed by the hijacker/trojan you now have, so try removing it

Yes but still, technically if I uninstalled IE, then the virus should be eradicated…yes?

Hell…if I can’t get rid of it I might as well just reinstall Windows…goddamn viruses…

EDIT: Heh…I just thought of something…you have to admire it’s persistance…

Try this at your own risk:

Variant #39 of CoolWebSearch - IE pages changed to real-yellow-page.com, drxcount.biz,
list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly
responsible

Please following the procedure below exactly as listed:

1 - Close all programs and disable system restore Now Reboot and enable system restore.

2 - Download this zip: Process Viewer: http://tools.zerosrealm.com/downloads/pv.zip . Please
unzip it to the desktop. It will not work if you run it from inside the zip. After unzipped go
to the desktop. Open the pv folder. Double click on the runme.bat - A dos window will open.
Please select option 1 for explorer dll’s by typing 1 and then pressing enter.

3 - A notepad window will open with a lot of information in it about running processes etc.
Click “Format” and make sure “Word Wrap” is not selected. Click on “Edit” => “Find” and type
in “61c00000 61440” (Without the quotation marks) and click on “Find Next”. If this particular
version of CWS is found, you will get a match similar to: “logignh.dll 61c00000 61440
c:\windows\system32\logignh.dll”. The filename will always be different (i.e. loginh.dll) -
This is the problem but this will always be constant: 61c00000 61440.

4 - Please download TheKillbox from http://download.broadbandmedic.com/VbStuff/KillBox.zip .
Unzip the files to a folder, then double-click on Killbox.exe to run it. In the “Paste Full
Path of File to Delete” box, copy and paste the following: c:\windows\system32\logignh.dll < =
Remember that the dll filname will be different than the one here. Don’t click any of the
buttons though, instead please click on the “Action menu” and choose “Delete on Reboot”. On the
next screen, click on the “File” menu and choose “Add File”. The filename and path should show
up in the window. If that’s successful, choose the Action menu and select “Process and Reboot”.
You’ll be prompted to reboot, do so.

5 - When you’re back in windows, please run the latest version of cwshredder. Keep in mind -
You must not have any programs running while you scan as this can cause the clean up to fail.

6 - Please double click the runme.bat again. This time chose option 6 for appinit contents.
Notepad will open with a log in it. The specific line we are interested in is:
“AppInit_DLLs”=“”. There may be valid programs in this line. If it is only the dll as found
above, proceed to the next step, if you are unsure, please post the entire contents and wait
for expert clarification.

7 - Please double click the runme.bat again. This time chose option 7 to clean appinit.

8 - Please double click the runme.bat again. This time chose option 6 for appinit contents
once more. Notepad will open with a log in it. This line= “AppInit_DLLs”=“”, should either be
empty or contain only the valid dll’s. not the one as found in point #3.

9 - Run http://www.spywareinfo.com/downloads/tools/IEFIX.reg , which will reset your search
page, load page etc for IE back to the defaults from Microsoft. If you want a different “Start
Page”, open Internet Explorer and browse to the page/site that you want. Once it has loaded,
click on “Tools” => “Internet Options” and under the “General” tab, click on “Use current”.

10 - Reboot one final time.

Thank you Ramen but I was able to remove this problem simply by removing those registry entries. In fact, I never even had the files it needed to replicate, only the registry entries. Thankfully, they were removed and now the thing can’t revive itself.

Thanks for the help anyways! :slight_smile: \//