Browser hijack - wholeworldmarket.com

Forums: Internet
Email this Topic • Print this Page

Hi,

I am another victim of the browser hijack.

My homepage will be reset to http://www.wholeworldmarket.com/search/top/ upon every log-in, despite customising to another homepage in the previous log-in. In fact it is the default homepage now. Once I switch to another website, one of the search items in searchmeup.com will pop up, e.g. http://www.searchmeup.com/search.php?aid=278&q=Roulette, http://www.searchmeup.com/search.php?aid=278&q=Party+poker

In addition, it will also add “free movies clips” into Favorites and the link of this is http://ebony.girlshost.net/. Tried to delete this from Favorites, but I will re-appear upon every log-in.

Steps I have done so far:-

I had done a clean-up using SpyBot & Ad-aware and items from All-in-One Telecom: Dialer, NAVEXCEL, MY-WAY SPEEDBAR, DYFUCA, Avenue A, Inc and Doubleclick have been removed.

Using CoolWWWSearch.SmartKiller removal tool CoolWWWSearch.smartkiller was not found in my PC.

Using Cwshredder, the following files were removed from my PC.
- CWS.Smartsearch
- CWS.System.init

By the way, I am unable to locate the TwainTech file in my PC.

I am running on Win2K.

The log from Hijack This shows:-

Logfile of HijackThis v1.97.7
Scan saved at 16:22:24, on 19/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETSUP~1\client32.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\OfficeScan NT\Pop3Trap.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\d\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworldmarket.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholeworldmarket.com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wholeworldmarket.com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholeworldmarket.com/search/top/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wholeworldmarket.com/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = stproxy.is:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.vic;*.bc;*.is;*.omni;<local>
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\6288.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23b2b94751f7cd2f3306/netzip/RdxIE601.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = st.corp.root
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = st.corp.root
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = st.corp.root

Thanks for your assistance in advance.

Cheers!

Alan

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 3,160 • Replies: 4

No top replies

http://www.wholeworldmarket.com/search/top/
from internet explorer options delete the hompage www.wholeworldmarket.com, use blank

delete the sstyle.css file from your windows directory.
delete the sysdll32.exe file from your system directory. thet's the one that makes the trick.
serch and delete all registry thar contains sysdll32.exe or sstyle.css or the www.wholeworldmarket.com
restart windows.
For me worked fine..
good luck...

0 Replies

These are your main problem:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworldmarket.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholeworldmarket.com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wholeworldmarket.com/search/top/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wholeworldmarket.com/search/top/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wholeworldmarket.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wholeworldmarket.com/search/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23b2b94751f7cd2f3306/netzip/RdxIE601.cabO16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\6288.exe

Have HighjackThis fix them.

When you ran AdAware, did you first update it (the current reference file, 01R298, is dated 20.04.2004), then configure it for a thorough scan? See How to update AdAware and AdAware Full Scan Instructions.. Be sure to configure for full scan. Additionally, under "General" in Configuration, select "Run at Windows startup". Once AdAware has been set up to thoroughly scour your system and to run on boot, reboot, then have AdAware fix whatever it found and reboot one more time and let it run again, and fix whatever, if anything, it found on the second pass. Deselect "Run on Windows startup" when that has been done.

If I were you, I'd look for "Netzip" in Add/Remove Programs, uninstall it if its there, then hunt down and remove any remaining related files or folders.

Is your machine on a corporate network? The following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = stproxy.is:80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = st.corp.root
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = st.corp.root
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = st.corp.root

are not nescessarilly bad, but are uncommon.

0 Replies

Browser hijack - wholeworldmarket.com
Hi Timberlandko,

Thanks for your wonderful advise! Was not able to find "netzip", but still manage to solve the browser hijack.

Yes, I am on corporate domain.

Cheers!

Alan

0 Replies

Yer weccum, tayalan. Glad we could help, and thanks for the update. The feedback on what does and doesn't work in what situations is critically important to the fight. Now, make sure you've got all the security and privacy you oughtta have, and that everything is properly configured and fully patched and updated as appropriate. Be careful out there.

0 Replies

Browser hijack - wholeworldmarket.com

Related Topics

Quick Links

My Account

able2know