Jump to content


Home search IE hijack

  • Please log in to reply
1 reply to this topic

#1 adam999



  • New Member
  • Pip
  • 2 posts

Posted 25 June 2004 - 05:26 PM

Having a problem with Internet Explorer where the start and search pages are getting overwritten with links to DLLs on the harddrive. The URLs are of the form:


where xxxxx is a seemingly randomly generated 5 character string. There are constant popups regarding spyware and spyware removal tools. There is also an increasing drag on the browsing speed while IE is running, it just gets slower and slower.

The newest versions of Spybot S&D and AdAware were not able to get rid of the problem. Looking at the HijackThis log there appears to be a BHO that is the root of the problem along with many suspicious RunOnce entries during startup. I could start just blasting each of the entries, but I wanted to run this by the community first. I followed the FAQ, but the hijack appears to regenerate constantly.

Following is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:58:47 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\Adam's crap\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfbcj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lfbcj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lfbcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfbcj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lfbcj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lfbcj.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1213B49D-9D45-A2C8-01DB-95DEB4CC99FA} - C:\WINDOWS\sdkgd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKLM\..\Run: [apipv.exe] C:\WINDOWS\system32\apipv.exe
O4 - HKLM\..\Run: [keimmxk] "C:\WINDOWS\System32\keimmxk.exe"
O4 - HKCU\..\Run: [regsrv32.exe] regsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [crln.exe] C:\WINDOWS\system32\crln.exe
O4 - HKLM\..\RunOnce: [crnl32.exe] C:\WINDOWS\crnl32.exe
O4 - HKLM\..\RunOnce: [mfcaz32.exe] C:\WINDOWS\mfcaz32.exe
O4 - HKLM\..\RunOnce: [apiyi32.exe] C:\WINDOWS\apiyi32.exe
O4 - HKLM\..\RunOnce: [sdkdk32.exe] C:\WINDOWS\sdkdk32.exe
O4 - HKLM\..\RunOnce: [sdkgx.exe] C:\WINDOWS\sdkgx.exe
O4 - HKLM\..\RunOnce: [syspz.exe] C:\WINDOWS\syspz.exe
O4 - HKLM\..\RunOnce: [msqa32.exe] C:\WINDOWS\system32\msqa32.exe
O4 - HKLM\..\RunOnce: [netbn32.exe] C:\WINDOWS\system32\netbn32.exe
O4 - HKLM\..\RunOnce: [addds32.exe] C:\WINDOWS\addds32.exe
O4 - HKLM\..\RunOnce: [syshb.exe] C:\WINDOWS\syshb.exe
O4 - HKLM\..\RunOnce: [sdkge32.exe] C:\WINDOWS\system32\sdkge32.exe
O4 - HKLM\..\RunOnce: [msyu32.exe] C:\WINDOWS\msyu32.exe
O4 - HKLM\..\RunOnce: [addoh32.exe] C:\WINDOWS\addoh32.exe
O4 - HKLM\..\RunOnce: [sysgy32.exe] C:\WINDOWS\system32\sysgy32.exe
O4 - HKLM\..\RunOnce: [sdkvg.exe] C:\WINDOWS\system32\sdkvg.exe
O4 - HKLM\..\RunOnce: [addwk32.exe] C:\WINDOWS\addwk32.exe
O4 - HKLM\..\RunOnce: [javafo32.exe] C:\WINDOWS\system32\javafo32.exe
O4 - HKLM\..\RunOnce: [mstu.exe] C:\WINDOWS\mstu.exe
O4 - HKLM\..\RunOnce: [ntxm32.exe] C:\WINDOWS\ntxm32.exe
O4 - HKLM\..\RunOnce: [d3fs32.exe] C:\WINDOWS\d3fs32.exe
O4 - HKLM\..\RunOnce: [mfcyg32.exe] C:\WINDOWS\system32\mfcyg32.exe
O4 - HKLM\..\RunOnce: [atlic.exe] C:\WINDOWS\atlic.exe
O4 - HKLM\..\RunOnce: [nttr32.exe] C:\WINDOWS\system32\nttr32.exe
O4 - HKLM\..\RunOnce: [netur32.exe] C:\WINDOWS\system32\netur32.exe
O4 - HKLM\..\RunOnce: [javaue.exe] C:\WINDOWS\system32\javaue.exe
O4 - HKLM\..\RunOnce: [javaab32.exe] C:\WINDOWS\system32\javaab32.exe
O4 - HKLM\..\RunOnce: [javays32.exe] C:\WINDOWS\javays32.exe
O4 - HKLM\..\RunOnce: [mfczb.exe] C:\WINDOWS\system32\mfczb.exe
O4 - HKLM\..\RunOnce: [crwl32.exe] C:\WINDOWS\system32\crwl32.exe
O4 - HKLM\..\RunOnce: [ieus.exe] C:\WINDOWS\system32\ieus.exe
O4 - HKLM\..\RunOnce: [atlzu.exe] C:\WINDOWS\system32\atlzu.exe
O4 - HKLM\..\RunOnce: [ipfg32.exe] C:\WINDOWS\ipfg32.exe
O4 - HKLM\..\RunOnce: [d3os32.exe] C:\WINDOWS\system32\d3os32.exe
O4 - HKLM\..\RunOnce: [netrl.exe] C:\WINDOWS\netrl.exe
O4 - HKLM\..\RunOnce: [adduw32.exe] C:\WINDOWS\adduw32.exe
O4 - HKLM\..\RunOnce: [crxp.exe] C:\WINDOWS\system32\crxp.exe
O4 - HKLM\..\RunOnce: [winoj.exe] C:\WINDOWS\system32\winoj.exe
O4 - HKLM\..\RunOnce: [javaru32.exe] C:\WINDOWS\system32\javaru32.exe
O4 - HKLM\..\RunOnce: [d3cj32.exe] C:\WINDOWS\d3cj32.exe
O4 - HKLM\..\RunOnce: [javadj.exe] C:\WINDOWS\javadj.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
O4 - HKLM\..\RunOnce: [ipjp.exe] C:\WINDOWS\system32\ipjp.exe
O4 - HKLM\..\RunOnce: [mfcye.exe] C:\WINDOWS\system32\mfcye.exe
O4 - HKLM\..\RunOnce: [sdkpr.exe] C:\WINDOWS\system32\sdkpr.exe
O4 - HKLM\..\RunOnce: [d3hq32.exe] C:\WINDOWS\system32\d3hq32.exe
O4 - HKLM\..\RunOnce: [apipu32.exe] C:\WINDOWS\apipu32.exe
O4 - HKLM\..\RunOnce: [addli32.exe] C:\WINDOWS\system32\addli32.exe
O4 - HKLM\..\RunOnce: [sdkmm32.exe] C:\WINDOWS\sdkmm32.exe
O4 - HKLM\..\RunOnce: [winxi32.exe] C:\WINDOWS\winxi32.exe
O4 - HKLM\..\RunOnce: [ieub.exe] C:\WINDOWS\ieub.exe
O4 - HKLM\..\RunOnce: [ieqi32.exe] C:\WINDOWS\ieqi32.exe
O4 - HKLM\..\RunOnce: [iprg.exe] C:\WINDOWS\system32\iprg.exe
O4 - HKLM\..\RunOnce: [mfclg.exe] C:\WINDOWS\system32\mfclg.exe
O4 - HKLM\..\RunOnce: [syswz32.exe] C:\WINDOWS\system32\syswz32.exe
O4 - HKLM\..\RunOnce: [mfchv.exe] C:\WINDOWS\mfchv.exe
O4 - HKLM\..\RunOnce: [ieie32.exe] C:\WINDOWS\system32\ieie32.exe
O4 - HKLM\..\RunOnce: [netzj32.exe] C:\WINDOWS\system32\netzj32.exe
O4 - HKLM\..\RunOnce: [mfcbj.exe] C:\WINDOWS\system32\mfcbj.exe
O4 - HKLM\..\RunOnce: [d3vs32.exe] C:\WINDOWS\d3vs32.exe
O4 - HKLM\..\RunOnce: [addoo.exe] C:\WINDOWS\system32\addoo.exe
O4 - HKLM\..\RunOnce: [crhg.exe] C:\WINDOWS\system32\crhg.exe
O4 - HKLM\..\RunOnce: [atlmt.exe] C:\WINDOWS\atlmt.exe
O4 - HKLM\..\RunOnce: [netei.exe] C:\WINDOWS\system32\netei.exe
O4 - HKLM\..\RunOnce: [sysdl32.exe] C:\WINDOWS\system32\sysdl32.exe
O4 - HKLM\..\RunOnce: [atlfd32.exe] C:\WINDOWS\system32\atlfd32.exe
O4 - HKLM\..\RunOnce: [msjp.exe] C:\WINDOWS\msjp.exe
O4 - HKLM\..\RunOnce: [winie32.exe] C:\WINDOWS\winie32.exe
O4 - HKLM\..\RunOnce: [atlgk32.exe] C:\WINDOWS\system32\atlgk32.exe
O4 - HKLM\..\RunOnce: [netui.exe] C:\WINDOWS\netui.exe
O4 - HKLM\..\RunOnce: [atlpl32.exe] C:\WINDOWS\atlpl32.exe
O4 - HKLM\..\RunOnce: [addcp32.exe] C:\WINDOWS\system32\addcp32.exe
O4 - HKLM\..\RunOnce: [appkv32.exe] C:\WINDOWS\system32\appkv32.exe
O4 - HKLM\..\RunOnce: [crtz.exe] C:\WINDOWS\system32\crtz.exe
O4 - Startup: netdb.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

Thanks alot for any assistance you can provide.

#2 adam999



  • New Member
  • Pip
  • 2 posts

Posted 25 June 2004 - 05:51 PM

Unfortunately I somehow missed PGPhantom's update on this. Apparently AdAware did not have the latest update. I will follow those instructions and post the new hijacklog if the problems persist.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!