hijacked browser

Posted 7/21/2004 11:50 AM
#1960
User avatar

hurley182 Member

Date Joined Nov 2016
Total Posts: 4
I have a problem. My homepage keeps being reset to cnenp.dll which shows a search page. I searched my computer for the cnenp.dll file and deleted it but it just keeps reinstalling itself. I used norton antivirus to scan my computer and it found a trojan but it cannot delete it. I have HiJackThis and it finds the file but when selected and 'fixed' it is only removed until the next startup. Please help me as I am getting a lot of pop ups and my home page keeps being reset to this .dll file.


Will



:yeah:
Posted 7/21/2004 1:10 PM
#1964
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hi hurley182

Post the Hjt logfile here

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/21/2004 1:39 PM
#1965
User avatar

Dunkles Valued member

Date Joined Nov 2016
Total Posts: 28
hurley you might want to download and run spybot and ad-aware yu can get from download.com then make sure you run the update feature first. also try these 2 programs they work great

https://www.hsremove.com/

https://www.rokop-security.de/main/download.php?op=getit&lid=59

Also as touch said please post the HiJack this log.
Posted 7/21/2004 2:32 PM
#1972
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Are you by chance running Windows XP?

Because if you are then when you clean it out this time turn off the system restore. viruses writ themselves in there to be annoying like that.

Eagle :smilewinkgrin:
Posted 7/22/2004 10:43 AM
#2022
User avatar

hurley182 Member

Date Joined Nov 2016
Total Posts: 4
I have Adaware and update it and run it everyday but it still doesn't solve the problem. This is the HJT logfile:


Logfile of HijackThis v1.97.7
Scan saved at 11:42:37, on 22/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appbl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\system32\crra32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cnenp.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35E34195-6EC7-9FF7-74E1-8DBD6B07E389} - C:\WINDOWS\system32\ieff.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE
O4 - HKLM\..\Run: [crra32.exe] C:\WINDOWS\system32\crra32.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - https://download.games.yahoo.com/games/clients/y/vtn_x.cab
O16 - DPF: Yahoo! Blackjack - https://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - https://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - https://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - https://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - https://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - https://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - https://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - https://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - https://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - https://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - https://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - https://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - https://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - https://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - https://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - https://www.easports.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - https://207.188.7.150/1111f3343a68e5410617/netzip/RdxIE601.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - https://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - https://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - https://install.wildtangent.com/bgn/partners/wtgeneric/coastbmxfullgrind/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - https://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - https://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - https://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - https://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB086D39-327B-4F16-9561-718B1B021E94}: NameServer = 194.72.9.39 194.74.65.68
Posted 7/22/2004 1:27 PM
#2027
User avatar

Dunkles Valued member

Date Joined Nov 2016
Total Posts: 28
ok i just had this on a customers pc the other day I had to go into the regestry and manually remove them then I ran these 2 programs

https://www.hsremove.com/

https://www.rokop-security.de/main/download.php?op=getit&lid=59

to go into the registry click on start then run then type regedit then do a search for this file cnenp.dll delete them. Also delete any instance of the file on your hard drive which will be in C:\windows\system32 or C:\windows\system or both (them may not be there). When i did mine I deleted them in safe mode. After deleting from the registry I ran the 2 programs above and they deleted a few mroe files. then every thing was fixed for me. Hope this helps you.

ps. here is a link to what I think you might be having if so it could be a PIA for you and anyone else I am going to have to go back and check that machine i did the other day to make sure its not back.
It seems to be a rather nasty new variant of coolweb or such if thats what you have.
https://forums.spywareinfo.com/index.php?showtopic=7447
Posted 7/22/2004 2:47 PM
#2035
User avatar

Mystikal Dreamer Member

Date Joined Nov 2016
Total Posts: 9
Dunkles, seems like someone really dosnt like your hompage eh? Its probably spyware/adware. Most hijackers try not to put stuff in your PC but tracking cookies usually. They are really just made 2 annoy the hell outta you xD! So teach this hijacker somethin. Im pretty sure when you ran norton and it detected it it showed were it was at. Go turn off system restore and reboot your computer on safe ode. Go to the location of the infected file and delete it. Do the same with regedit (just use registry keys :P) and then reboot your computer again. After that, scan your computer again, and it should be gone! :) By the way, I read your hijack this log. You probably do have spyware. That "wild tagnent" thing is a browser monitor, and sometimes can be a hijacker. I highly dont recomend having it installed on your computer. I mean sure, it gives great games, awsome 3D graphic games, but what do you want more? Pleasure or privacy xD. I'd recomend u deleting every Wild Tagnent product inyour comp as soon as possible. :)

Hope this helps,
Kyra
Posted 7/22/2004 5:21 PM
#2050
User avatar

old_fart Advanced member

Date Joined Nov 2016
Total Posts: 33
If it is a variant of CoolWebSearch, download and run CWShredder. This picked out different variants on mine.
Posted 7/24/2004 8:36 AM
#2084
User avatar

hurley182 Member

Date Joined Nov 2016
Total Posts: 4
None of these solutions have worked. I will try again but starting in safe mode and deleting has not helped. Any more ideas from anyone?


Will
Posted 7/24/2004 9:19 AM
#2085
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hi hurley182


Download About:Buster from here, https://tools.zerosrealm.com/AboutBuster.zip
Reboot your computer in safe mode, open About Buster but dont run it yet. Open Hijack This and select the following to fix:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cnenp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cnenp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cnenp.dll/sp.html#28129
O2 - BHO: (no name) - {35E34195-6EC7-9FF7-74E1-8DBD6B07E389} - C:\WINDOWS\system32\ieff.dll

O4 - HKLM\..\Run: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\Run: [crra32.exe] C:\WINDOWS\system32\crra32.exe
O4 - HKLM\..\RunServices: [Internet Explorer Service] iexplores.exe
O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE

Select fix and close Hijack This.

Now Run About:Buster twice and let it fix whatver it finds.

Find and delete:
C:\WINDOWS\system32\ieff.dll
iexplores.exe
C:\WINDOWS\system32\crra32.exe
C:\WINDOWS\System32\REGCPM32.EXE
C:\WINDOWS\system32\appbl.exe
Also delete all files in the folders for Temporary Internet Files

https://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

And post new log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/28/2004 2:28 PM
#2208
User avatar

pupudada Member

Date Joined Nov 2016
Total Posts: 9
hello, i had such a problem before and i can say with 99% guarantee that the following softwares will remove the traces of this bug. use google to locate the url and download them:

1) spybot search & destroy (freeware)

2) xsoftspy (shareware.. the unregistered version will detect BUT NOT remove, the registered version WILL)

hope this helps... cheers & sunshine... pupudada



Posted 7/29/2004 10:31 AM
#2231
User avatar

hurley182 Member

Date Joined Nov 2016
Total Posts: 4
Hey guys I fixed it. I downloaded SpySweeper and ran that. On the first run through it removed the hijacker and a few other pieces of worthless crap that was automatically installed on my comp over the months. So if this last post helps anyone with the same problem then I feel as though i've done some good....................


Thanks to everyone for their help...



Will
Posted 8/3/2004 12:41 AM
#2311
User avatar

LadyBeth Member

Date Joined Nov 2016
Total Posts: 1
My computer was "hijacked" after I downloaded AOL software. No one could help me fix it--my only recourse was to do a complete system restore. My computer still isn't the same--I lost so many files that I have been building for months. I don't appear to have any sign of the spyware left on my computer--I also don't have anything else either! Consider yourself lucky--I wasn't so lucky.
Posted 8/3/2004 1:40 AM
#2312
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Hello ladybeth,

I think your problem could be solved if you get rid of AOL that stuff can drag any computer down.
also, try some spyware remover that probably would have helped, further I do not know what your OS is but you could probably use a better Anti virus/firewall program.
But for now I suggest a disk clean and a defrag, because I believe that all of your problems may still be lurking in there. If you have a system restore on your program you may have just made them default programs.
let me know and I'll do what I can to help.

Eagle :smilewinkgrin:
Posted 9/20/2004 12:57 PM
#3213
User avatar

Justin Valued member

Date Joined Nov 2016
Total Posts: 10
Spybot and Ad Aware are no good, Most freeware applications dont quite do the job, maybe you should consider opening your wallet towards your expensive computer for the right Internet Security, I recommend FREEDOM INTERNET SECURITY, I know for a fact its better than BULLGUARD
Posted 9/20/2004 1:42 PM
#3231
User avatar

eagle Advanced member

Date Joined Nov 2016
Total Posts: 492
Ok so where do you find it, I'm always lookinf for oppertunities?
Eagle :smilewinkgrin:
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 2, 2022, 2:17 PM (GMT +1)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
32 Guest(s), 0 Registered Member(s) are currently online.