 |  |  |  |  |  |  |  |
new hompeage hijack dbipd.dll?
 |
Hello,
I recently got infected by a homepage hijacker virus and all of my attempts to rid my pc of the virus have failed.
Description of the virus:
1. it changes the homepage of IE to res://dbipd.dll/index.html#96676
2. it launches (and relaunches) a bunch of process like sysap32.exe, addql.exe, netey.exe, addok.exe etc...
3. it launches popups with bad advertisements
What I have tried:
1. ran symantec virus scan (always have realtime protection enabled)... found nothing
2. upated and ran cwshredder... found nothing
3. upated and ran spybot... found some cookies and a dbipd.dll key entry... action taken: remove all (delete)
4. updated and ran ad aware... found some more malware... removed all
5. searched the web for ever for references to the dbipd.dll and the related processes... no luck...
6. turned off system restore... and ran virus scan again... found no viruses...
After all this the virus remains...
Is this dbipd.dll a new version of the homepage hijacker that I get the priv of being annoyed by first?
Thanks in advance for any help posted... and I promise not to use IE in the future
Here is my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 5:12:17 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\download\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///E|/Sites/ScriptTech/index.htm"); (E:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (E:\Documents and Settings\Jonny\Application Data\Mozilla\Profiles\default\c31r8r3a.slt\prefs.js)
O2 - BHO: (no name) - {CBB34022-85E3-83D0-516A-741DF8F48820} - E:\WINDOWS\system32\d3dn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IW Controlcenter] E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysap32.exe] E:\WINDOWS\system32\sysap32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://12.98.84.234/TDBIN/Spider80.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...978.3928587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://powertest.webex.com/client/l...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C039FE4-34CA-4784-875E-2BB299AE9AB5}: NameServer = 207.155.184.72,206.173.119.72
I recently got infected by a homepage hijacker virus and all of my attempts to rid my pc of the virus have failed.
Description of the virus:
1. it changes the homepage of IE to res://dbipd.dll/index.html#96676
2. it launches (and relaunches) a bunch of process like sysap32.exe, addql.exe, netey.exe, addok.exe etc...
3. it launches popups with bad advertisements
What I have tried:
1. ran symantec virus scan (always have realtime protection enabled)... found nothing
2. upated and ran cwshredder... found nothing
3. upated and ran spybot... found some cookies and a dbipd.dll key entry... action taken: remove all (delete)
4. updated and ran ad aware... found some more malware... removed all
5. searched the web for ever for references to the dbipd.dll and the related processes... no luck...
6. turned off system restore... and ran virus scan again... found no viruses...
After all this the virus remains...
Is this dbipd.dll a new version of the homepage hijacker that I get the priv of being annoyed by first?
Thanks in advance for any help posted... and I promise not to use IE in the future
Here is my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 5:12:17 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\download\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///E|/Sites/ScriptTech/index.htm"); (E:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (E:\Documents and Settings\Jonny\Application Data\Mozilla\Profiles\default\c31r8r3a.slt\prefs.js)
O2 - BHO: (no name) - {CBB34022-85E3-83D0-516A-741DF8F48820} - E:\WINDOWS\system32\d3dn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IW Controlcenter] E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysap32.exe] E:\WINDOWS\system32\sysap32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://12.98.84.234/TDBIN/Spider80.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...978.3928587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://powertest.webex.com/client/l...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C039FE4-34CA-4784-875E-2BB299AE9AB5}: NameServer = 207.155.184.72,206.173.119.72
Can somebody please help me post on this site? I am completely lost as to how one starts a new thread (that's why I'm posting here).
I am extremely ticked that my homepage has been 'hijacked' by:
res://ibmup.dll/index.html#96676
or
http://www.lookfor.cc/index.php?pin=96676
Now I cannot change my homepage and I have popups which I NEVER had before.
Any assistance would be appreciated.
Email: accelerant@sbcglobal.net
I am extremely ticked that my homepage has been 'hijacked' by:
res://ibmup.dll/index.html#96676
or
http://www.lookfor.cc/index.php?pin=96676
Now I cannot change my homepage and I have popups which I NEVER had before.
Any assistance would be appreciated.
Email: accelerant@sbcglobal.net
i was all excited that someone was gonna address my problem...
to start a new thread click the "new thread" image on the forum page (page where you can see all of the threads)...
the answer to your problem is to probably to go thru the steps i describe in my post... however i am not familiar with that hijack... try cwshredder first..
to start a new thread click the "new thread" image on the forum page (page where you can see all of the threads)...
the answer to your problem is to probably to go thru the steps i describe in my post... however i am not familiar with that hijack... try cwshredder first..
Hello everybody!
I guess your excitement went to ruins huh? Well I'm here now, let's go burn some viruses!
Try running the online anti-virus of Trend Micro Jhowarth! (Click here) and remove all viruses found.
As for Arobrien,
follow these steps:
First run Ad-aware6.0 (click here) and UPDATE accordingly with the [check for updates now] button and afterwards delete everything it finds.
Download, install and UPDATE Spybot (click here). Scan and fix all items maked in RED.
Perform an online virus scan at Trend Micro's Housecall. Remove every virus
found.
Then run Hijackthis (click here) and before scanning close all (browser) windows. After the scanning save the log (notepad will open up) and copy, paste the log in here.
I guess your excitement went to ruins huh? Well I'm here now, let's go burn some viruses!
Try running the online anti-virus of Trend Micro Jhowarth! (Click here) and remove all viruses found.
As for Arobrien,
follow these steps:
First run Ad-aware6.0 (click here) and UPDATE accordingly with the [check for updates now] button and afterwards delete everything it finds.
Download, install and UPDATE Spybot (click here). Scan and fix all items maked in RED.
Perform an online virus scan at Trend Micro's Housecall. Remove every virus
found.
Then run Hijackthis (click here) and before scanning close all (browser) windows. After the scanning save the log (notepad will open up) and copy, paste the log in here.
- Yzk
Yzk:
Thank You for your assistance. I had used everything except Ad-Aware, and it found about 30 CWS Malware files. I deleted them and was then able to reset my homepage. I ran Spybot--it detected nothing. I ran HiJackThis, and deleted the entries that referenced the "pin" # on the malware homepage. Restarted the computer, and things seem to be a bit closer to normal, speedwise. Also, the Trend Micro DL you referred me to keeps "encountering and error and has to shutdown." I have NAV which isn't picking anything up--though it did pick up the Bloodhound.Exploit.10 Virus when I was originally spammed with this spyware, and was unable to repair it. However, it seems to have fixed something, because, like I said, it's not picking anything up at the moment. So, the only problem remaining is the "ONLY THE BEST" pop-ups I keep getting, referencing various porn sites, etc. PROPERTIES for these Pop-Ups reference something in my C Drive [followed by a bunch of %%% type codes).
At any rate, here is the log from HiJackThis (after I deleted some entries I knew were malicious):
Logfile of HijackThis v1.97.7
Scan saved at 12:00:23 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\crmz.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntvp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E15E1E91-0FD3-9AEB-0959-00933AADA0C4} - C:\WINDOWS\system32\addsv32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C500EF36-5C7F-4294-BA4E-09B2B64E4258}: NameServer = 64.169.140.6 206.13.28.12
Thank You again for your assistance.
Adam O'Brien
Thank You for your assistance. I had used everything except Ad-Aware, and it found about 30 CWS Malware files. I deleted them and was then able to reset my homepage. I ran Spybot--it detected nothing. I ran HiJackThis, and deleted the entries that referenced the "pin" # on the malware homepage. Restarted the computer, and things seem to be a bit closer to normal, speedwise. Also, the Trend Micro DL you referred me to keeps "encountering and error and has to shutdown." I have NAV which isn't picking anything up--though it did pick up the Bloodhound.Exploit.10 Virus when I was originally spammed with this spyware, and was unable to repair it. However, it seems to have fixed something, because, like I said, it's not picking anything up at the moment. So, the only problem remaining is the "ONLY THE BEST" pop-ups I keep getting, referencing various porn sites, etc. PROPERTIES for these Pop-Ups reference something in my C Drive [followed by a bunch of %%% type codes).
At any rate, here is the log from HiJackThis (after I deleted some entries I knew were malicious):
Logfile of HijackThis v1.97.7
Scan saved at 12:00:23 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\crmz.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntvp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E15E1E91-0FD3-9AEB-0959-00933AADA0C4} - C:\WINDOWS\system32\addsv32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C500EF36-5C7F-4294-BA4E-09B2B64E4258}: NameServer = 64.169.140.6 206.13.28.12
Thank You again for your assistance.
Adam O'Brien
Yowza!
Okay Arobrien, the whole point of spy/mal/adware is to be OBNOXIOUS! But we all know that now don't we?
FOR BOTH OF YOU, Be sure that you have Hijack this in a local folder called C:\HJT\ otherwise it won't make any back ups! And your system might be RUINED!
only when you are sure that you don't use it as a program, try deleting it.
If the trend micro online scan didn't work, try Panda's online anti-virus. click here
Okay, what you want to try now is going into "Safe Mode"
Windows 98/ME Startup Menu
Restart your computer wait until you see the text "Starting Windows98" and then press F8 (you might want to press a little sooner). Once at the Windows 98 Startup Menu select the Safe Mode option and press Enter.
Windows XP/2000
When you reach the boot menu (if not, press F8 before the windows loading screen) asking you which Operating System you would like to use hit F8 and then choose Safe Mode from the menu.
Just to be sure run Ad-aware and spybot again, see if they pick something up.
Afterwards try removing these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
For unknown ones, that means I don't know what they are, but due to strange filenames, they might be spyware. So I'm hoping that you've put HJT in C:\HJT or it WON'T make any back ups. So be careful about removing unknown ones.
Unknown:
C:\WINDOWS\system32\crmz.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe
And after that try deleting them manually by searching. Now why you can't see them is because of the "Hidden Attribute". You can change that by going to [Extra] in the above menu, then go to folder options and then go to the [view] and click on [Show all files].
I hope that fixes it for you.
Now PMurthy,
Try doing what I've said to Arobrien as well (running in safe mode) and then try running ad-aware and spyware again. Afterwards give me another HJT log, this time with all (browser) windows closed.
Okay Arobrien, the whole point of spy/mal/adware is to be OBNOXIOUS! But we all know that now don't we?
FOR BOTH OF YOU, Be sure that you have Hijack this in a local folder called C:\HJT\ otherwise it won't make any back ups! And your system might be RUINED!
only when you are sure that you don't use it as a program, try deleting it.
If the trend micro online scan didn't work, try Panda's online anti-virus. click here
Okay, what you want to try now is going into "Safe Mode"
Windows 98/ME Startup Menu
Restart your computer wait until you see the text "Starting Windows98" and then press F8 (you might want to press a little sooner). Once at the Windows 98 Startup Menu select the Safe Mode option and press Enter.
Windows XP/2000
When you reach the boot menu (if not, press F8 before the windows loading screen) asking you which Operating System you would like to use hit F8 and then choose Safe Mode from the menu.
Just to be sure run Ad-aware and spybot again, see if they pick something up.
Afterwards try removing these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
For unknown ones, that means I don't know what they are, but due to strange filenames, they might be spyware. So I'm hoping that you've put HJT in C:\HJT or it WON'T make any back ups. So be careful about removing unknown ones.
Unknown:
C:\WINDOWS\system32\crmz.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe
And after that try deleting them manually by searching. Now why you can't see them is because of the "Hidden Attribute". You can change that by going to [Extra] in the above menu, then go to folder options and then go to the [view] and click on [Show all files].
I hope that fixes it for you.
Now PMurthy,
Try doing what I've said to Arobrien as well (running in safe mode) and then try running ad-aware and spyware again. Afterwards give me another HJT log, this time with all (browser) windows closed.
- Yzk
•
•
Join Date: Feb 2004
Posts: 9,982
Reputation: 
Solved Threads: 754
•
•
•
•
Originally Posted by pmurthy
I have the same problem except that my homepage gets set to some other dll file. I tried deleteing that dll file from the windows system folder, but it made a new one with some freaking name and then I deleted that and it made a new one. This is making me nuts.
I tried every common spyware, virus scan and what not.
I tried several times the following
Updated Adaware
Updated Spybot
Virus scan from Trend micro
PestPatrol
Everytime they detect something, delete them and they reappear I don't know what is going on here.
Please give me suggestions where to go from here.
Here's my latest hijackthis log
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 9,982
Reputation:
Solved Threads: 754
•
•
•
•
Originally Posted by arobrien
FOLLOW-UP:
Looks like I was wrong. I'm back to the HiJacked Homepage:
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
I don't know what to say--I deleted all of that, but it comes right back. There is something in the registry that keeps setting everything back. I can't get into certain websites and I can't even log into my online class. Unbelievable. If I know where the offices for these malware ******** were, I'd molotov cocktail them--NO joke.
Looks like I'm going to have to reformat, unless someone is familiar with this particular application and how to get rid of it.
Thanks,
A.
Looks like I'm going to have to reformat, unless someone is familiar with this particular application and how to get rid of it.
Thanks,
A.
Try using DLLfix and post the log here
Download from http://tools.zerosrealm.com/dllfix.exe]here[/url]
Download from http://tools.zerosrealm.com/dllfix.exe]here[/url]
- Yzk
|
Similar Threads
- home page hijack (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: tried all options - pls help
- Next Thread: Crunchie...need your help with sqlo.dll (about blank)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
