Jump to content


Photo

Can't Rid Myself of this


  • This topic is locked This topic is locked
6 replies to this topic

#1 westonm

westonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 03:32 PM

I have been battling a hijack for about 4 or 5 days now and am not getting anywhere. I have run SpyBot and Adware Spy multiple time and always end up with the same thing - I fix the problems I find but they just return when I re-open IE. The first time I re-open IE it will go to blank but when I close it and re-open again it is back at the hijacked site. The sit takes on several diferent names, the latest is cxdef.dll/index.html#96676 . The first part, the dll file name will change through several different names but the 96676 is always there. I have followed to the best of my ablilities all of the instruction but am getting nowhere. I don't know if this is related, but about whne this started, I started getting Microsoft Internet Explorer Error Reporting Tool box come up when I open ID. When I click either don't send or send error report, IE closes. If I leave is on the screen I can use the browser but the box just gets in the way. When I close and come back into IE I have been hijacked again.

Thanks for any help that you may be able to provide, you guys are providing a very valuable service and i certainly appreciate all that you do.

The log file is as follows -

Logfile of HijackThis v1.97.7
Scan saved at 1:25:49 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\javasl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\WINDOWS\sysbp.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxdef.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cxdef.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cxdef.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cxdef.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINDOWS\system32\javasl.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 27 June 2004 - 04:41 PM

Hello westonm,

Please download About:Buster by RubbeR DuckY from

http://www.atribune....AboutBuster.zip

Then Unzip it to your desktop. Do not run it yet.
Print these directions or paste them into a text document as you will be running with your internet explorer closed.

Restarting internet explorer may cause a reinfection.

Please Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe
O4 - HKLM\..\RunOnce: [javasl.exe] C:\WINDOWS\system32\javasl.exe


Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".


Now startup About:Buster.

Hit ok on the first prompt
Then hit start.
Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

#3 westonm

westonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 07:10 PM

Followed instructions - had one incident where ZoneAlarm indicated a program was trying to access the internet while About:Buster was runing. Everything seemed to complete ok but unfortunately I still have the same problem. The current log from hijack this is as follows.

Logfile of HijackThis v1.97.7
Scan saved at 7:02:39 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\javasl.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\WINDOWS\sysbp.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cikvo.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cikvo.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cikvo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cikvo.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cikvo.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cikvo.dll/sp.html#96676
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 27 June 2004 - 07:49 PM

Ok, let's try to do it in Safe Mode.
Tap F8 while restarting to get into Safe Mode, then

Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {6EB6A56A-4BFC-3BA9-232B-8316BEE8CB76} - C:\WINDOWS\system32\javatf32.dll

O4 - HKLM\..\Run: [sysbp.exe] C:\WINDOWS\sysbp.exe


Then, Close all open Windows, only have HJT open, and click "Fix Checked".


Now startup About:Buster.

Hit ok on the first prompt
Then hit start.
Next hit ok.

Wait till the scan completes and copy the report and save it somewhere.

Rerun About:Buster to make sure everything was deleted.

Then restart your computer.

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

#5 westonm

westonm

    Member

  • New Member
  • Pip
  • 3 posts

Posted 28 June 2004 - 08:50 PM

You will never know how much I appreciate this - I think it worked. I have been able to open IE multiple times and haven't gotten the other sites, my home page has remained my home page. I am amazed that I posted yesterday, and today I am on page 17 of the posts - that is an incredible amount of posts from people having the same or similar problems that I had. I am attaching the (hopefully) last hijack this log file - and thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 8:34:04 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\hijack this\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Default\Application Data\Mozilla\Profiles\default\89fsn7wz.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 28 June 2004 - 09:09 PM

You're welcome westonm!

You should be fine now.
Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see, So how did I get infected in the first place?

#7 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 28 June 2004 - 09:23 PM

Good luck, and thanks for coming to our forums for help with your security and malware issues.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

Everyone else having a similar issue, please launch a new topic for yourselves.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button