DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   IE Hompage hijacked, tried PestPatrol, SpyBot 1.3, Virus scan (http://www.daniweb.com/forums/thread7022.html)

pmurthy Jun 14th, 2004 8:24 pm
IE Hompage hijacked, tried PestPatrol, SpyBot 1.3, Virus scan
 
My computer was fine untill today morning when some crap spyware infected it.
Everytime I search something using google, it opens up a new window which looks like http://search-to-find.com/sec.php?qq=


It resets my homepage to res://dqwrl.dll/index.html#96676 all the time (After I find and delete the dll manually, it makes a new dll file).
Here's my Hijackthis log
I'm frustrated with working on it for hours now. Please any suggestions?

Logfile of HijackThis v1.97.7
Scan saved at 7:22:10 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\addzp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\crpq32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
c:\Program Files\PestPatrol\CookiePatrol.exe
c:\Program Files\PestPatrol\PPMemCheck.exe
c:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tyagi\Desktop\trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqwrl.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dqwrl.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dqwrl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqwrl.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dqwrl.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqwrl.dll/sp.html#96676
O2 - BHO: (no name) - {6257B617-2809-056A-FCEC-83AB849FBF72} - C:\WINDOWS\sdkry.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Sasser Patch v1 ] msconf.exe
O4 - HKLM\..\Run: [Microsoft Update] xoifzpv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Net Cfg ] service.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crpq32.exe] C:\WINDOWS\system32\crpq32.exe
O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] xoifzpv.exe
O4 - HKLM\..\RunServices: [Windows Net Cfg ] service.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Sasser Patch v1 ] msconf.exe
O4 - HKCU\..\Run: [Windows Net Cfg ] service.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\tyagi\applic~1\logon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Update] xoifzpv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-b.mhi.aol.com/netagen.../custappx2.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...045.9775810185
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex...te/sdkinst.cab

crunchie Jun 15th, 2004 9:02 am
Re: IE Hompage hijacked, tried PestPatrol, SpyBot 1.3, Virus scan
 
Download & instal Adaware from here
& update it B4 scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Go here for an on-line scan & set it to autoclean for you.


All times are GMT -4. The time now is 1:55 am.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC