hijacked browser - Free Antivirus Forum

hijacked browser

BullGuard Antivirus Forum > Virus > Alerts & New Threats > hijacked browser

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

hurley182
New Member

Date Joined Jun 2004
Total Posts : 4

Posted 7-21-2004 12:50 (GMT +1)

I have a problem. My homepage keeps being reset to cnenp.dll which shows a search page. I searched my computer for the cnenp.dll file and deleted it but it just keeps reinstalling itself. I used norton antivirus to scan my computer and it found a trojan but it cannot delete it. I have HiJackThis and it finds the file but when selected and 'fixed' it is only removed until the next startup. Please help me as I am getting a lot of pop ups and my home page keeps being reset to this .dll file.

Will

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13619

Posted 7-21-2004 2:10 (GMT +1)

Hi hurley182

Post the Hjt logfile here

Dunkles
New Member

Date Joined Jun 2004
Total Posts : 30

Posted 7-21-2004 2:39 (GMT +1)

hurley you might want to download and run spybot and ad-aware yu can get from download.com then make sure you run the update feature first. also try these 2 programs they work great

http://www.hsremove.com/

http://www.rokop-security.de/main/download.php?op=getit&lid=59

Also as touch said please post the HiJack this log.

eagle
Senior Member

Date Joined May 2004
Total Posts : 805

Posted 7-21-2004 3:32 (GMT +1)

Are you by chance running Windows XP?

Because if you are then when you clean it out this time turn off the system restore. viruses writ themselves in there to be annoying like that.

Eagle

hurley182
New Member

Date Joined Jun 2004
Total Posts : 4

Posted 7-22-2004 11:43 (GMT +1)

I have Adaware and update it and run it everyday but it still doesn't solve the problem. This is the HJT logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:42:37, on 22/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appbl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\system32\crra32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cnenp.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35E34195-6EC7-9FF7-74E1-8DBD6B07E389} - C:\WINDOWS\system32\ieff.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE
O4 - HKLM\..\Run: [crra32.exe] C:\WINDOWS\system32\crra32.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.easports.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1111f3343a68e5410617/netzip/RdxIE601.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/coastbmxfullgrind/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB086D39-327B-4F16-9561-718B1B021E94}: NameServer = 194.72.9.39 194.74.65.68

Dunkles
New Member

Date Joined Jun 2004
Total Posts : 30

Posted 7-22-2004 2:27 (GMT +1)

ok i just had this on a customers pc the other day I had to go into the regestry and manually remove them then I ran these 2 programs

http://www.hsremove.com/

http://www.rokop-security.de/main/download.php?op=getit&lid=59

to go into the registry click on start then run then type regedit then do a search for this file cnenp.dll delete them. Also delete any instance of the file on your hard drive which will be in C:\windows\system32 or C:\windows\system or both (them may not be there). When i did mine I deleted them in safe mode. After deleting from the registry I ran the 2 programs above and they deleted a few mroe files. then every thing was fixed for me. Hope this helps you.

ps. here is a link to what I think you might be having if so it could be a PIA for you and anyone else I am going to have to go back and check that machine i did the other day to make sure its not back.
It seems to be a rather nasty new variant of coolweb or such if thats what you have.
http://forums.spywareinfo.com/index.php?showtopic=7447

Mystikal Dreamer
New Member

Date Joined Jun 2004
Total Posts : 17

Posted 7-22-2004 3:47 (GMT +1)

Dunkles, seems like someone really dosnt like your hompage eh? Its probably spyware/adware. Most hijackers try not to put stuff in your PC but tracking cookies usually. They are really just made 2 annoy the hell outta you xD! So teach this hijacker somethin. Im pretty sure when you ran norton and it detected it it showed were it was at. Go turn off system restore and reboot your computer on safe ode. Go to the location of the infected file and delete it. Do the same with regedit (just use registry keys :P) and then reboot your computer again. After that, scan your computer again, and it should be gone! :) By the way, I read your hijack this log. You probably do have spyware. That "wild tagnent" thing is a browser monitor, and sometimes can be a hijacker. I highly dont recomend having it installed on your computer. I mean sure, it gives great games, awsome 3D graphic games, but what do you want more? Pleasure or privacy xD. I'd recomend u deleting every Wild Tagnent product inyour comp as soon as possible. :)

Hope this helps,
Kyra

Post Edited (Mystikal Dreamer) : 7/22/2004 2:54:17 PM GMT

old_fart
New Member

Date Joined Jun 2004
Total Posts : 35

Posted 7-22-2004 6:21 (GMT +1)

If it is a variant of CoolWebSearch, download and run CWShredder. This picked out different variants on mine.

hurley182
New Member

Date Joined Jun 2004
Total Posts : 4

Posted 7-24-2004 9:36 (GMT +1)

None of these solutions have worked. I will try again but starting in safe mode and deleting has not helped. Any more ideas from anyone?

Will

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13619

Posted 7-24-2004 10:19 (GMT +1)

Hi hurley182

Download About:Buster from here, http://tools.zerosrealm.com/AboutBuster.zip
Reboot your computer in safe mode, open About Buster but dont run it yet. Open Hijack This and select the following to fix:

O4 - HKLM\..\Run: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\Run: [crra32.exe] C:\WINDOWS\system32\crra32.exe
O4 - HKLM\..\RunServices: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE

Select fix and close Hijack This.

Now Run About:Buster twice and let it fix whatver it finds.

Find and delete:
C:\WINDOWS\system32\ieff.dll
iexplores.exe
C:\WINDOWS\system32\crra32.exe
C:\WINDOWS\System32\REGCPM32.EXE
C:\WINDOWS\system32\appbl.exe
Also delete all files in the folders for Temporary Internet Files

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

And post new log

pupudada
New Member

Date Joined Jun 2004
Total Posts : 14

Posted 7-28-2004 3:28 (GMT +1)

hello, i had such a problem before and i can say with 99% guarantee that the following softwares will remove the traces of this bug. use google to locate the url and download them:

1) spybot search & destroy (freeware)

2) xsoftspy (shareware.. the unregistered version will detect BUT NOT remove, the registered version WILL)

hope this helps... cheers & sunshine... pupudada

hurley182
New Member

Date Joined Jun 2004
Total Posts : 4

Posted 7-29-2004 11:31 (GMT +1)

Hey guys I fixed it. I downloaded SpySweeper and ran that. On the first run through it removed the hijacker and a few other pieces of worthless crap that was automatically installed on my comp over the months. So if this last post helps anyone with the same problem then I feel as though i've done some good....................

Thanks to everyone for their help...

Will

LadyBeth
New Member

Date Joined Aug 2004
Total Posts : 1

Posted 8-3-2004 1:41 (GMT +1)

My computer was "hijacked" after I downloaded AOL software. No one could help me fix it--my only recourse was to do a complete system restore. My computer still isn't the same--I lost so many files that I have been building for months. I don't appear to have any sign of the spyware left on my computer--I also don't have anything else either! Consider yourself lucky--I wasn't so lucky.

eagle
Senior Member

Date Joined May 2004
Total Posts : 805

Posted 8-3-2004 2:40 (GMT +1)

Hello ladybeth,

I think your problem could be solved if you get rid of AOL that stuff can drag any computer down.
also, try some spyware remover that probably would have helped, further I do not know what your OS is but you could probably use a better Anti virus/firewall program.
But for now I suggest a disk clean and a defrag, because I believe that all of your problems may still be lurking in there. If you have a system restore on your program you may have just made them default programs.
let me know and I'll do what I can to help.

Eagle

Justin
New Member

Date Joined Sep 2004
Total Posts : 13

Posted 9-20-2004 1:57 (GMT +1)

Spybot and Ad Aware are no good, Most freeware applications dont quite do the job, maybe you should consider opening your wallet towards your expensive computer for the right Internet Security, I recommend FREEDOM INTERNET SECURITY, I know for a fact its better than BULLGUARD

eagle
Senior Member

Date Joined May 2004
Total Posts : 805

Posted 9-20-2004 2:42 (GMT +1)

Ok so where do you find it, I'm always lookinf for oppertunities?
Eagle

Forum Information

Currently it is Friday, November 21, 2008 2:36 PM (GMT +1)
There are a total of 63.988 posts in 15.829 threads.
In the last 3 days there were 34 new threads and 167 reply posts. View Active Threads