http:///4.3.6

[zz28]

YES, I did a scan with Norton and it did not find anything. I keep the definitions up to date also.

[tpeters]

If you have a startpage hijack or "CoolWebSearch" hack there's no other tool that will fix it other than CWShredder. Believe me, I've tried them all at client sites: AdAware, Spybot, all of them. Those are great programs, and I use them religiously. But a browser hijack is a special animal. http://www.merijn.org/files/cwshredder.zip

You also need BHODemon to look for Mal-ware Browser Helper Objects. You will have some legitimate ones, like Acrobat Reader. But BHODemon will tell you about all of them, in detail, and let YOU decide which ones can run.

Got a call from my MOM and all of a sudden when she tries to log on to the net her normal startpage is gone. What DOES come up is http:///4.3.6 in the address bar and "page cannot be found" on the page. You can type in other sites in the address bar and they work fine. If you change her start page after a few min. it changes back to http:///4.3.6. I ran hijackthis and it found 7 entries with that in it and removed them but they keep coming back.
Any Suggestions?

thanks

zz

[tpeters]

If you have a startpage hijack or "CoolWebSearch" hack there's no other tool that will fix it other than CWShredder. Believe me, I've tried them all at client sites: AdAware, Spybot, all of them. Those are great programs, and I use them religiously. But a browser hijack is a special animal. http://www.merijn.org/files/cwshredder.zip

You also need BHODemon to look for Mal-ware Browser Helper Objects. You will have some legitimate ones, like Acrobat Reader. But BHODemon will tell you about all of them, in detail, and let YOU decide which ones can run.

[zz28]

I have tried everything listed in all of the replies here. Thank you all for your input. The time I have spent trying to correct this problem I could have formated the hard drive and start all over. SO, I backed up everthing and did just that...Problem solved.

Thanks again for everyone trying to help.


zz28

[bigal6]

I don't see any mention of an AV scan, have you done one? What AV software is on the machine?

I have been having same problem and I done the AV scan and it found an adware and got rid of it but still same problem.I use Norton 2004 AV.It has slowed computer a lot as well.

[cthomasR1]

I have the same problem with a clients PC. I have tried everything I can think of. AD-Aware, Spybot, Hijackthis, and I scanned the PC with two different Anti-virus softwares. Nothing has helped so far. I also noticed that I can not run Windows updates. As soon as I click on the link to view the updates after the system is scanned the browser closes. Also this PC is running Windows XP, I can no longer switch users as I could before. I get the screen to choose a different user select the one that is not currently logged in and all that happens is I get a quick flash of the desktop like it is getting ready to load then back to the choose user screen. I can use either user as long as I completly log out of the other.
Don't want to do the ol "format c:".

[just]

Seems I have the same problem too...I this thing spreading?
I got mine in an email, as an attachment called picture.zip, in wich there was a file called report.pif. As i knew nothing of what a .pif file was, i activated it, and was hijacked...
Besides the problems already stated, I can't log on to my webbank anymore...This is getting anoying...

Any help is welcome - I also tried everything without any result...

Just

[sabu724]

Add another one. I did a web search and came up with this site. No one else has any mention of the worm. Hope someone can find something to help. By theway it aso affects sending email and posting on messge boards.
Thanks

[just]

Hmmm...Sems norton found something, anyways.
I viewed my log, and found that a backdoor haxdoor had been found several times, but that norton couldn't remove it.
It is located in windows/system32/debugg.dll (debugg with 2 g's), and that file is completely impossible to remove...

I'm looking in to it...

Just

see: http://www.sarc.com/avcenter/cgi-bin....cgi?vid=26466

[TripleRLtd]

Welcome to WD sabu;just; and cthomas.
What we need from all of you is to post a New Thread, alright.
Go here, and follow all the advice given in the first post by NooNoo
http://forums.windrivers.com/showthread.php?t=57348
Then, since each of you seem to have done most everything, we will need to have a look at your HiJack This logs individually. There will always be something in the list that will help out here.
There is no ONE simple fix for this problem. It's detective work and it needs to be dealt with on an individual basis. The original thread here had pretty much ended: the person formatted. This is why none of you got replies.

[Kenjunior]

OK, wife did the same thing, opened pictures.zip that then extracts report.pif. The report.pif is actually backdoor.haxdoor.b virus that was found May 21, 2004. We run norton Corp AV and the defs were dated 5/28/2004 before it finally figured out what it was. Its a nighmare to get rid of but if you go to www.sarc.com and seach for backdoor.haxdoor.b it will tell you how to get rid of it. I have seen thousands of spyware programs and have beaten every one of them. This one took us 3 days to hammer out, only a few hours once we found out it was a virus.

Here is the fix for XP.

Its tough to get rid of! You need to update your virus software FIRST, then the fun begins. You will get errors about certain files containing viruses once you have updates done. Note the file name(s) and location(s). Browse to the locations and right click on the file and properties, then select the security tab and check deny for the "system" user. You need to do this on every file that has the virus. Once that is complete, restart the system. You should not bootup without any errors about viruses. You will then need to scan you complete system for viruses (with CURRENT definitions). It will remove the virus files. You should then follow the remaining removal portion of the document from www.sarc.com on the haxdoor.b manual removal of the registry. You will most likely get an error when you try to remove some registry keys, if you do, make sure to highlight the key you want to remove and click edit, permissions, and give everyone full permissions. You can now delete the registry key. Continue until ALL registry keys have been removed.

SEVERAL hours of work on this one, hope it helps someone out!

KJ

[sabu724]

Logfile of HijackThis v1.97.7
Scan saved at 7:59:49 AM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\EarthLink TotalAccess\MailClnt.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and Settings\Kim\My Documents\qbw32.exe
C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\AXLBRI~1.EXE
C:\Documents and Settings\Kim\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.6
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.6
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...112.8547800926
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/ac4plus.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB6E1782-3ACA-44CE-85DE-861705CB03D5}: NameServer = 207.69.188.187 207.69.188.186