• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
srajan

about:blank, bkcdpnc.dll/sp.html (obfuscated)

14 posts in this topic

Hi,

I have tried so many ways to deal with this problem and I have spent so much time on this, that I have finally given up trying myself. I think I need someones help to get rid of this problem.

I have used HijackThis everytime to get rid of this stupid browser hijacker

bkcdpnc.dll/sp.html (obfuscated) :angry:

blank.html :angry:

but it always comes back. I have used CWShredder.exe to clean them. It says that it removed and cleaned some stuff, but I don't know what!! I have used ad-aware 6.0 to remove all the spywares. It does but after sometime these things come back. Something very amazing happened. I don't know if it has happened with any of you. But I used HijackThis to remove these unwanted things and check marked them. But HijackThis removed almost everything except 3-4 items. I went to check backup and there were all of the deleted files. Then I had to restore them one by one by clicking. You cannot restore bunch of them at one time. Very stupid. Then when I went to check the restored files. I saw again these morons back. All the blank.html and blah-blah. I am just posting after that.

I am having this problem for almost a month. I use also Spybot search & destroy, but no use. These spywares are not leaving me. For god sake help me.

Here is the log file after getting rid of spywares.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:12:05 AM, on 5/21/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

G:\Program Files\Norton AntiVirus\navapsvc.exe

G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINNT\System32\svchost.exe

G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

G:\Program Files\burst\burst.exe

G:\Program Files\burst\btdownloadheadless.exe

G:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINNT\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {44144E87-6532-42B7-BA68-D23B946EC226} - C:\WINNT\system32\bkcdpnc.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"

O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

A million thanks to all the people who are going to help me.

-srikant.

Share this post


Link to post
Share on other sites

Download this file from http://downloads.subratam.org/dllfix.exe.

 

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.

 

Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu.

Option 1 -- > is if you found the dllname that is locked or in the appinit key.

Option 2 -- > is for if you can't find the dllname.

 

Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it.There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

 

Reboot and Download Ad-aware. Check for updates. Then Run the update Ad-aware.

 

Reboot. Run HijackThis and post the fresh log.

 

 

Good luck...

Share this post


Link to post
Share on other sites

Let me first thank you for helping you. I am really grateful. I did everything as you asked. I couldn't understand the option concept though. Therefore I chose the option-1. I ran the ad-aware twice, rebooting after each time. Even after third time, I still see so many of them. This popup address also comes on internet explorer- http://69.20.62.53/yyy3.html.

Also I tried installing Spyware Blaster. But it doesn't get installed. It says "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." I don't know what is this. I have tried to reinstall so many times, but no use.

Here is the latest logfile.

 

Logfile of HijackThis v1.97.7

Scan saved at 6:57:59 AM, on 5/21/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

G:\Program Files\Norton AntiVirus\navapsvc.exe

G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINNT\system32\igfxtray.exe

G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Ad-aware] "G:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"

O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

God and the creator only knows, what are these.

HELP.

-srikant.

Share this post


Link to post
Share on other sites

I'll rewrite it... It's a standard fix... ;)

 

Download Dllfix again

When downloaded, double click it, choose a location to install it, and hit install...

 

Run Start.Bat from there.

Type 1

Hit enter

Hit Ok to continue

Let it complete and there will be a pop-up window with a log.

 

Post that log in here... I'll have a look at it...

We'll take it from there then...

 

 

Good Luck...

Share this post


Link to post
Share on other sites

I ran the dllfix as you told me.

I just wanted to tell you that I somehow came across norton antivirus website where they talk about "iget.net" spyware. I followed there advice. I deleted some of the keys from registry and then rebooted in the safe mode. Did complete system scan and then opened all the hosts file one by one in c:\winnt\system32\etc folder and deleted the line containing auto.serach.msn.com and same for netscape.com and iget.net. But even after that some popup occured automatically. :wub:

There are two links which automatically opened.

http://69.20.62.53/yyy2.html :(

http://www.popularscreensavers.com/?partne...xdm206&spu=true :(

 

This is the log file from dllfix.

 

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

 

Fri 05/21/2004

11:45a

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

D: "User_Files" (481D:E041) - FS:NTFS clusters:4k

Total: 20 987 011 072 [20G] - Free: 5 902 626 816 [5.5G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

*Google Toolbar version and Attributes:

2.0.110.0 C:\Program Files\google\googletoolbar1.dll

Defaults: "A" ;"R"

File not found - C:\Program Files\google\googletoolbar2.dll

A C:\Program Files\google\GoogleToolbar1.dll

 

*UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{83BA15C2-583D-4418-9294-ADD484C7D03D}"=""

 

 

*Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

*M$Java version:

 

 

*PC uptime:

11:45am up 0 days, 0:38

Locked or 'Suspect' file(s) found...

 

 

*List of top level windows:

HWND PID PRIO TITLE

201ca 1300 norm PermissionDlg

503e8 1072 norm SysFader

e02c6 1072 norm SysFader

10050 1072 norm _Shell_TrayWnd

30258 628 norm SysFader

200ac 1256 norm Norton AntiVirus

201ce 1300 norm AutoVPNAlertDlg

200c4 1300 norm ViolationDlg

10018 244 high NetDDE Agent

c0248 1464 norm C:\WINNT\system32\cmd.exe

1900c8 628 norm SWI Forums -> about:blank, bkcdpnc.dll/sp.html (obfuscated) - Prateek Singh

100286 1072 norm Timer

c03de 1072 norm dllfix

1009e 1280 norm igfxtrayWindow\\.\Display1

110274 628 norm MCI command handling window

3023c 628 norm DDE Server Window

20280 1072 norm MCI command handling window

70080 1300 norm ZoneAlarm Pro

100b0 1388 norm AcrobatTrayIcon

10098 1256 norm ccApp

10094 1072 norm CSC Notifications Window

1008a 1072 norm Power Meter

10086 1072 norm MS_WebcheckMonitor

10084 1072 norm Connections Tray

30038 1072 norm DDE Server Window

20034 760 norm SYSTEM AGENT COM WINDOW

10026 676 norm UnErase Process

1001a 244 high MM Notify Callback

30030 1072 norm Program Manager

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]

"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

I was determined to fix the problem today. I have already spent more than 7 dedicated hours on this one. I don't know how much more time it is going to take before it gets fixed.

thanks for your help.

-srikant. :)

Share this post


Link to post
Share on other sites

Restart the start.bat:Double click it

Type 2

Hit Enter

type 2

Hit enter

Let the program perform the fix...

 

Reboot...

There will be the scan for the " dll " on-boot screen, which will search and fix it...

Reboot again and Download Ad-aware if you haven't got it...

Ad-aware:

 

Download Ad-Aware at http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions...

 

Run the program, and click on the globe on the top-right... Click connect, answer yes when a new reference file is found, and after this, hit finish...

 

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check:  "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check:  "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys... Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items...  Click OK...

 

Finally, close Ad-Aware...

 

Reboot. Run HijackThis and post the fresh log.

 

 

Let's see now... :)

Edited by Quinstar

Share this post


Link to post
Share on other sites
There will be the scan for the " dll " on-boot screen, which will search and fix it...

Reboot again and Download Ad-aware if you haven't got it...

it didn't do any scanning!

Now I have most up-to-date ad-aware and I cleaned 4 infected files, but no use.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:31:42 PM, on 5/21/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

G:\Program Files\Norton AntiVirus\navapsvc.exe

G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINNT\system32\igfxtray.exe

G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/?ok

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: 207.36.196.189 ieautosearch

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"

O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

 

where is this redirector comng from? Why doesn't it get deleted? :blink:

Share this post


Link to post
Share on other sites

are you stil being redirected?

What page are you going to and to what page are you getting redirected?

Tell me please... :)

Share this post


Link to post
Share on other sites

Your problem is the devious method of reinfection that this trojan employs. Whenever you reboot, the program makes a NEW dll file with a random name. The whole thing is tied to a hidden file in your windows/system32 directory that ONLY dllfix will be able to find. When you find it, you can delete it and fix the problem.

 

 

I think this is the same "homeoldsp" cw/about:blank trojan that's been recurring on this forum.

 

Such intimidating terms as "superhidden file" are used throughout the removal process. I was able to use several links to help me eliminate the problem. There is no point for me to rewrite what these posters say:

 

http://www.spywarinfo.com/forums/index.php?showtopic=43492

http://www.wilderssecurity.com/showpost.ph...440&postcount=4

 

Both are very good. I followed the intructions word for word, and it fixed the problem completely. The real trick is finding the superhidden dll file in your system32 directory AND removing the reference in that appinit_dll registry entry. Follow directions in those posts. Use the programs they reference:

 

Reglite

AND

dllfix.exe

Share this post


Link to post
Share on other sites

Your problem is the devious method of reinfection that this trojan employs. Whenever you reboot, the program makes a NEW dll file with a random name. The whole thing is tied to a hidden file in your windows/system32 directory that ONLY dllfix will be able to find. When you find it, you can delete it and fix the problem.

 

 

I think this is the same "homeoldsp" cw/about:blank trojan that's been recurring on this forum.

 

Such intimidating terms as "superhidden file" are used throughout the removal process. I was able to use several links to help me eliminate the problem. There is no point for me to rewrite what these posters say:

 

http://www.spywarinfo.com/forums/index.php?showtopic=43492

http://www.wilderssecurity.com/showpost.ph...440&postcount=4

 

Both are very good. I followed the intructions word for word, and it fixed the problem completely. The real trick is finding the superhidden dll file in your system32 directory AND removing the reference in that appinit_dll registry entry. Follow directions in those posts. Use the programs they reference:

 

Reglite

AND

dllfix.exe

Share this post


Link to post
Share on other sites

Yes, I was still getting redirected. Then I searched through other posts also. I think you had posted somewhere about VX... I used that link and deleted the dll file which kept coming back with different names. Rebooting was required for deletion, which I did. Then I ran ad-aware 2-3 times. Cleared everything. Again ran VX... and then reboot. Then everything was clean. :D

I even installed Spyware Blaster without any problem and it is running perfectly alright. :lol:

Now I can sleep well. It took me 10 hours to fix all this problem, but I am glad that I got it fixed - hopefully.

Nothing is popping up and it is not getting redirected and HijackThis didn't find anything, neither did CWShredder nor ad-aware.

 

thank you very much Quinstar for your extended help.

I am grateful.

-srikant.

Share this post


Link to post
Share on other sites

Well... I'm glad to hear you sorted it out...

 

Download this free and easy program too:

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all...

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

I'll be tracking the topic for another week or so, so come back if you're getting the same problems...

And post a fresh log then...

 

 

Happy surfing...

Edited by Quinstar

Share this post


Link to post
Share on other sites

Thank you for your concern Quinstar. If I get another problem I will definitely bug you again. :p

Many many thanks to you and all the people who are keeping the forum alive by helping people all the time, round the clock.

 

have fun,

Srikant.

 

By the way I had downloaded the file (http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD) long time ago, but I don't know how much it is helpling me! :huh:

Share this post


Link to post
Share on other sites

It gets updated every month or so... Uninstall it and install the new version again... On the download page you can read how to uninstall it...

 

Greetz...

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0