|
| ||
| Finally, how to remove the d8t.biz Explorer hijack, FOREVER! This is intended for anyone who has been plagued by the practically impossible-to-remove d8t.biz spyware. If your browser homepage and searchpage have been hijacked by the address “http://s1di.d8t.biz/index.php?aid=20038� or any other address containing 'd8t.biz' then this is for you. This spyware is highly malicious- even if it is detected by various virus and spyware checkers, it repeatedly regenerates and the problem persists. I’ve had this on my computer for nearly 2 weeks now and only just got rid of it today. Here we go... 1. Download Hijack This from “http://www.spywareinfo.com/~merijn/f...ackthis.zip� Run it, and get it to fix all references ending in sp.html; this is achieved by ticking the boxes alongside the appropriate lines and then clicking ‘fix checked’. Also fix the following line… O2 - BHO: (no name) - {random code} - C:\WINDOWS\System32\[suspicious].dll N.B. The [suspicious].dll represents the .dll file name that will differ every time. It is the last entry that begins with O2, i.e. the next entry is usually O3…msdxm.ocx 2. Download and install “FINDnFIX.exe� from [http://downloads.subratam.org/FINDnFIX.exe] Run the "!LOG!.bat" file. This creates a file called “log.txt� – do not close this yet. Scroll down the log- near the top of the page should be the following… �C:\WINDOWS\System32\[suspicious].DLL +++ File read error C:\WINDOWS\System32\[suspicious].DLL +++ File read error� This .dll is the malicious spyware file that needs to be removed. 3. Open notepad.exe from the Start Menu> Accessories menu Open the file "MOVEit.bat" which is located in the C:\FINDnFIX\Keys1 Subfolder The file will open as text file. Delete the instruction line which begins “REM…� Copy and paste the following line in its place (without the “�)… �move %WinDir%\System32\[suspicious].DLL %SystemDrive%\junkxxx\[suspicious].DLL� Replace [suspicious] with the .dll file name discovered in log.txt Save the file and close notepad. 4. Get ready to restart your computer. In the same folder, run "FIX.bat" You will be prompted by popup alert box that your computer will restart in 15 seconds. 5. Once the computer has restarted, open the C:\FINDnFIX\ main folder. Run the "RESTORE.bat" file. This creates a new file called “log1.txt� There should now be no mention of the suspicious .dll file that was discovered in log.txt 6. Open the FINDnFIX\Files2 subfolder. Run "ZIPZAP.bat" This will clean the rest of the bad files and make copies in the same folder as “junkxxx.zip� Your email client will open, along with an email instruction but ignore this and close it. 7. When this is finished, restart your computer. Delete the entire 'FINDnFIX' folder from C:\ Make sure the C:\junkxxx folder was deleted (it will have been by the clean-up process, but just check anyway) 8. Your computer should now be totally free of the annoying spware! 9. To prevent other such infections, read the following article “Why did I get infected�: http://www.wilderssecurity.com/showthread.php?t=27971 I recommend installing SpywareBlaster & SpywareGuard; both links are on this page. In addition, it is well worth installing a firewall: I recommend ZoneAlarm which is available here: http://www.zonelabs.com/store/conten...ku_list_za.jsp |
| ||
| Re: Finally, how to remove the d8t.biz Explorer hijack, FOREVER! I followed all your instructions but diagnosis from xsoftyspy is still such as my last post... :sad: So I launched hjt and attached related log : it seems the DLL in O2 tag disappear but pb still remains.... what do you think?? Again... Notepad.exe seems disappeared.... --------------------- Logfile of HijackThis v1.97.7 Scan saved at 19.38.49, on 07/07/04 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\Compaq\COMPAQ~2\hibserv.exe C:\WINDOWS\system32\acstp\icserv.exe C:\WINDOWS\system32\acstp\wake_up.exe C:\Program Files\Microsoft SQL Server\MSSQL$GCPM\Binn\sqlservr.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\sdpasvc.exe C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe C:\WINDOWS\System32\atiptaxx.exe C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE C:\Program Files\Compaq\EAB\EabServr.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Common Files\RTE\RTEGPRS.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Network ICE\BlackICE\blackice.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE c:\program files\acnu\acnupdatersvc.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\XoftSpy\XoftSpy.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;<local> O1 - Hosts: 127.0.0.9 doxdesk.com O1 - Hosts: 127.0.0.90 www.safer-networking.org O1 - Hosts: 127.0.0.91 www.secureie.com O1 - Hosts: 127.0.0.92 www.security.kolla.de O1 - Hosts: 127.0.0.93 www.spybot.info O1 - Hosts: 127.0.0.94 www.spychecker.com O1 - Hosts: 127.0.0.95 www.spychecker.com O1 - Hosts: 127.0.0.96 www.spycop.com O1 - Hosts: 127.0.0.97 www.spyguard.com O1 - Hosts: 127.0.0.98 www.spykiller.com O1 - Hosts: 127.0.0.99 www.spyware.co.uk O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray O4 - HKLM\..\Run: [eSupInit] "C:\Program Files\Support.com\bin\eSupCmd.exe" -inituser O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: BlackICE Agent.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...175.0872222222 O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab |
| ||
| Re: Finally, how to remove the d8t.biz Explorer hijack, FOREVER! Hello, While I yeild to Crunchie and other HTJ log experts, I can see that you have a problem with the C:\windows\System32\drivers\etc\hosts file. Inside hosts, you should have one entry: 127.0.0.1 localhost (This is for the IP stack local configuring) Christian |
| ||
| Re: Finally, how to remove the d8t.biz Explorer hijack, FOREVER! You may want to go here to read about xoftspy, it's a bit of a scam. http://www.spywarewarrior.com/rogue_anti-spyware.htm You might try this: Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. |
| ||
| Re: Finally, how to remove the d8t.biz Explorer hijack, FOREVER! Gentlemen, further details... I performed ad-ware 6 (trial versione) scanning too... It identified 10 objects (infected)..... Attached an interesting section form ad-ware log..... I hope it'll be useful.. Deep scanning and examining files (C:) ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Cydoor Object recognized! Type : File Data : cd_clint.dll Category : Data Miner Comment : Object : C:\Documents and Settings\firstname.lastname\Local Settings\Temp\ FileSize : 122 KB FileVersion : 3, 2, 1, 6 ProductVersion : 3, 2, 1, 6 Copyright : Copyright FileDescription : cd_clint InternalName : cd_clint OriginalFilename : cd_clint.dll ProductName : cd_clint Created on : 14/04/04 10.30.28 Last accessed : 08/07/04 10.36.56 Last modified : 31/07/03 12.02.00 scam.noadware.net Object recognized! Type : File Data : noadware.exe Category : Malware Comment : Object : C:\Program Files\NoAdware\ FileSize : 1568 KB FileVersion : 2.01 ProductVersion : 2.01 Copyright : Copyright (C) 2003 CompanyName : NoAdware (http://www.noadware.net) FileDescription : NoAdware Application InternalName : NoAdware OriginalFilename : NoAdware.EXE ProductName : NoAdware Application Created on : 09/03/04 16.28.32 Last accessed : 08/07/04 09.48.58 Last modified : 09/03/04 16.28.32 iSearch Toolbar Object recognized! Type : File Data : a0085893.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP106\ FileSize : 400 KB FileVersion : 1, 0, 0, 4 ProductVersion : 1, 0, 0, 1 Copyright : Copyright 2004. All rights reserved. CompanyName : iDownload.com FileDescription : iSearch Toolbar InternalName : iSearch Toolbar OriginalFilename : toolbar.dll ProductName : iSearch Toolbar Created on : 17/03/04 14.56.02 Last accessed : 08/07/04 10.41.56 Last modified : 17/03/04 14.56.02 Disk scan result for C:\ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ New objects : 0 Objects found so far: 3 Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts) ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Hosts file scan result: ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ 30 entries scanned. New objects :0 Objects found so far: 3 Performing conditional scans.. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ scam.noadware.net Object recognized! Type : RegKey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : SOFTWARE\NoAdware scam.noadware.net Object recognized! Type : Folder Category : Malware Comment : Object : c:\program files\NoAdware scam.noadware.net Object recognized! Type : File Data : noadware.lnk Category : Malware Comment : Object : c:\documents and settings\firstname.lastname\desktop\ Created on : 07/07/04 09.07.42 Last accessed : 08/07/04 10.54.00 Last modified : 07/07/04 09.07.42 scam.noadware.net Object recognized! Type : File Data : logs Category : Malware Comment : Object : c:\program files\noadware\ Created on : 07/07/04 09.07.43 Last accessed : 08/07/04 09.50.22 Last modified : 07/07/04 09.07.43 scam.noadware.net Object recognized! Type : File Data : noadware_061904_v201.na Category : Malware Comment : Object : c:\program files\noadware\ FileSize : 343 KB Created on : 07/07/04 09.07.59 Last accessed : 08/07/04 10.54.00 Last modified : 07/07/04 09.08.01 scam.noadware.net Object recognized! Type : File Data : unins000.dat Category : Malware Comment : Object : c:\program files\noadware\ FileSize : 1 KB Created on : 07/07/04 09.07.42 Last accessed : 08/07/04 10.54.00 Last modified : 07/07/04 09.07.42 scam.noadware.net Object recognized! Type : File Data : unins000.exe Category : Malware Comment : Object : c:\program files\noadware\ FileSize : 74 KB FileVersion : 51.9.0.0 ProductVersion : Copyright : Copyright (C) 1997-2003 Jordan Russell CompanyName : Jordan Russell FileDescription : Inno Setup Uninstaller Created on : 28/11/03 03.00.00 Last accessed : 08/07/04 10.54.00 Last modified : 28/11/03 03.00.00 Conditional scan result: ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ New objects : 7 Objects found so far: 10 11.54.00 Scan complete Summary of this scan ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Total scanning time :00.26.45.309 Objects scanned :159744 Objects identified :10 Objects ignored :0 New objects :10 |
| All times are GMT -4. The time now is 6:55 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC