Jump to content


Photo

about:blank, bkcdpnc.dll/sp.html (obfuscated)


  • This topic is locked This topic is locked
13 replies to this topic

#1 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 04:25 AM

Hi,
I have tried so many ways to deal with this problem and I have spent so much time on this, that I have finally given up trying myself. I think I need someones help to get rid of this problem.
I have used HijackThis everytime to get rid of this stupid browser hijacker
bkcdpnc.dll/sp.html (obfuscated) :angry:
blank.html :angry:
but it always comes back. I have used CWShredder.exe to clean them. It says that it removed and cleaned some stuff, but I don't know what!! I have used ad-aware 6.0 to remove all the spywares. It does but after sometime these things come back. Something very amazing happened. I don't know if it has happened with any of you. But I used HijackThis to remove these unwanted things and check marked them. But HijackThis removed almost everything except 3-4 items. I went to check backup and there were all of the deleted files. Then I had to restore them one by one by clicking. You cannot restore bunch of them at one time. Very stupid. Then when I went to check the restored files. I saw again these morons back. All the blank.html and blah-blah. I am just posting after that.
I am having this problem for almost a month. I use also Spybot search & destroy, but no use. These spywares are not leaving me. For god sake help me.
Here is the log file after getting rid of spywares.

Logfile of HijackThis v1.97.7
Scan saved at 5:12:05 AM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\svchost.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\burst\burst.exe
G:\Program Files\burst\btdownloadheadless.exe
G:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44144E87-6532-42B7-BA68-D23B946EC226} - C:\WINNT\system32\bkcdpnc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

A million thanks to all the people who are going to help me.
-srikant.

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 04:45 AM

Download this file from http://downloads.sub....org/dllfix.exe.

Preferably to Desktop. Double click on it and it being a self -extractor, will create its own folder. Run Start.Bat from there. Run Option 1. which is "Run Find-All... ". Let it complete and there will be a pop-up window with a log.

Run the start.bat again after dll found or whatever. Run option 2 and choose correct option in submenu.
Option 1 -- > is if you found the dllname that is locked or in the appinit key.
Option 2 -- > is for if you can't find the dllname.

Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it.There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

Reboot and Download Ad-aware. Check for updates. Then Run the update Ad-aware.

Reboot. Run HijackThis and post the fresh log.


Good luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 06:01 AM

Let me first thank you for helping you. I am really grateful. I did everything as you asked. I couldn't understand the option concept though. Therefore I chose the option-1. I ran the ad-aware twice, rebooting after each time. Even after third time, I still see so many of them. This popup address also comes on internet explorer- http://69.20.62.53/yyy3.html.
Also I tried installing Spyware Blaster. But it doesn't get installed. It says "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." I don't know what is this. I have tried to reinstall so many times, but no use.
Here is the latest logfile.

Logfile of HijackThis v1.97.7
Scan saved at 6:57:59 AM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\igfxtray.exe
G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bkcdpnc.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-aware] "G:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

God and the creator only knows, what are these.
HELP.
-srikant.

#4 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 09:53 AM

I'll rewrite it... It's a standard fix... ;)

Download Dllfix again
When downloaded, double click it, choose a location to install it, and hit install...

Run Start.Bat from there.
Type 1
Hit enter
Hit Ok to continue
Let it complete and there will be a pop-up window with a log.

Post that log in here... I'll have a look at it...
We'll take it from there then...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#5 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 10:51 AM

I ran the dllfix as you told me.
I just wanted to tell you that I somehow came across norton antivirus website where they talk about "iget.net" spyware. I followed there advice. I deleted some of the keys from registry and then rebooted in the safe mode. Did complete system scan and then opened all the hosts file one by one in c:\winnt\system32\etc folder and deleted the line containing auto.serach.msn.com and same for netscape.com and iget.net. But even after that some popup occured automatically. :wub:
There are two links which automatically opened.
http://69.20.62.53/yyy2.html :(
http://www.popularsc...xdm206&spu=true :(

This is the log file from dllfix.

--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Fri 05/21/2004
11:45a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
D: "User_Files" (481D:E041) - FS:NTFS clusters:4k
Total: 20 987 011 072 [20G] - Free: 5 902 626 816 [5.5G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;

*Google Toolbar version and Attributes:
2.0.110.0 C:\Program Files\google\googletoolbar1.dll
Defaults: "A" ;"R"
File not found - C:\Program Files\google\googletoolbar2.dll
A C:\Program Files\google\GoogleToolbar1.dll

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{83BA15C2-583D-4418-9294-ADD484C7D03D}"=""


*Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:


*PC uptime:
11:45am up 0 days, 0:38
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
201ca 1300 norm PermissionDlg
503e8 1072 norm SysFader
e02c6 1072 norm SysFader
10050 1072 norm _Shell_TrayWnd
30258 628 norm SysFader
200ac 1256 norm Norton AntiVirus
201ce 1300 norm AutoVPNAlertDlg
200c4 1300 norm ViolationDlg
10018 244 high NetDDE Agent
c0248 1464 norm C:\WINNT\system32\cmd.exe
1900c8 628 norm SWI Forums -> about:blank, bkcdpnc.dll/sp.html (obfuscated) - Prateek Singh
100286 1072 norm Timer
c03de 1072 norm dllfix
1009e 1280 norm igfxtrayWindow\\.\Display1
110274 628 norm MCI command handling window
3023c 628 norm DDE Server Window
20280 1072 norm MCI command handling window
70080 1300 norm ZoneAlarm Pro
100b0 1388 norm AcrobatTrayIcon
10098 1256 norm ccApp
10094 1072 norm CSC Notifications Window
1008a 1072 norm Power Meter
10086 1072 norm MS_WebcheckMonitor
10084 1072 norm Connections Tray
30038 1072 norm DDE Server Window
20034 760 norm SYSTEM AGENT COM WINDOW
10026 676 norm UnErase Process
1001a 244 high MM Notify Callback
30030 1072 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

I was determined to fix the problem today. I have already spent more than 7 dedicated hours on this one. I don't know how much more time it is going to take before it gets fixed.
thanks for your help.
-srikant. :)

#6 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 11:01 AM

Restart the start.bat:Double click it
Type 2
Hit Enter
type 2
Hit enter
Let the program perform the fix...

Reboot...
There will be the scan for the " dll " on-boot screen, which will search and fix it...
Reboot again and Download Ad-aware if you haven't got it...

Ad-aware:

Download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions...

Run the program, and click on the globe on the top-right... Click connect, answer yes when a new reference file is found, and after this, hit finish...

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check:  "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check:  "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys... Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items...  Click OK...

Finally, close Ad-Aware...


Reboot. Run HijackThis and post the fresh log.


Let's see now... :)

Edited by Quinstar, 21 May 2004 - 11:01 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#7 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 11:32 AM

There will be the scan for the " dll " on-boot screen, which will search and fix it...
Reboot again and Download Ad-aware if you haven't got it...

it didn't do any scanning!
Now I have most up-to-date ad-aware and I cleaned 4 infected files, but no use.

Logfile of HijackThis v1.97.7
Scan saved at 12:31:42 PM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
G:\Program Files\Norton AntiVirus\navapsvc.exe
G:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\igfxtray.exe
G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\Prateek Singh\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/?ok
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Prateek Singh
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [iolo System Mechanic Utility Bar] "G:\PROGRA~1\iolo\SYSTEM~1\SMUtilityBar.exe"
O4 - Global Startup: Acrobat Assistant.lnk = G:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab

where is this redirector comng from? Why doesn't it get deleted? :blink:

#8 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 12:03 PM

are you stil being redirected?
What page are you going to and to what page are you getting redirected?
Tell me please... :)
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#9 cadaverlab

cadaverlab

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 May 2004 - 01:03 PM

Your problem is the devious method of reinfection that this trojan employs. Whenever you reboot, the program makes a NEW dll file with a random name. The whole thing is tied to a hidden file in your windows/system32 directory that ONLY dllfix will be able to find. When you find it, you can delete it and fix the problem.


I think this is the same "homeoldsp" cw/about:blank trojan that's been recurring on this forum.

Such intimidating terms as "superhidden file" are used throughout the removal process. I was able to use several links to help me eliminate the problem. There is no point for me to rewrite what these posters say:

http://www.spywarinf...showtopic=43492
http://www.wildersse...440&postcount=4

Both are very good. I followed the intructions word for word, and it fixed the problem completely. The real trick is finding the superhidden dll file in your system32 directory AND removing the reference in that appinit_dll registry entry. Follow directions in those posts. Use the programs they reference:

Reglite
AND
dllfix.exe

#10 cadaverlab

cadaverlab

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 May 2004 - 01:03 PM

Your problem is the devious method of reinfection that this trojan employs. Whenever you reboot, the program makes a NEW dll file with a random name. The whole thing is tied to a hidden file in your windows/system32 directory that ONLY dllfix will be able to find. When you find it, you can delete it and fix the problem.


I think this is the same "homeoldsp" cw/about:blank trojan that's been recurring on this forum.

Such intimidating terms as "superhidden file" are used throughout the removal process. I was able to use several links to help me eliminate the problem. There is no point for me to rewrite what these posters say:

http://www.spywarinf...showtopic=43492
http://www.wildersse...440&postcount=4

Both are very good. I followed the intructions word for word, and it fixed the problem completely. The real trick is finding the superhidden dll file in your system32 directory AND removing the reference in that appinit_dll registry entry. Follow directions in those posts. Use the programs they reference:

Reglite
AND
dllfix.exe

#11 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 01:04 PM

Yes, I was still getting redirected. Then I searched through other posts also. I think you had posted somewhere about VX... I used that link and deleted the dll file which kept coming back with different names. Rebooting was required for deletion, which I did. Then I ran ad-aware 2-3 times. Cleared everything. Again ran VX... and then reboot. Then everything was clean. :D
I even installed Spyware Blaster without any problem and it is running perfectly alright. :lol:
Now I can sleep well. It took me 10 hours to fix all this problem, but I am glad that I got it fixed - hopefully.
Nothing is popping up and it is not getting redirected and HijackThis didn't find anything, neither did CWShredder nor ad-aware.

thank you very much Quinstar for your extended help.
I am grateful.
-srikant.

#12 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 01:09 PM

Well... I'm glad to hear you sorted it out...

Download this free and easy program too:
IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all...
http://www.staff.uiu...rce.htm#IESPYAD

I'll be tracking the topic for another week or so, so come back if you're getting the same problems...
And post a fresh log then...


Happy surfing...

Edited by Quinstar, 21 May 2004 - 01:09 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#13 srajan

srajan

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 May 2004 - 01:23 PM

Thank you for your concern Quinstar. If I get another problem I will definitely bug you again. :p
Many many thanks to you and all the people who are keeping the forum alive by helping people all the time, round the clock.

have fun,
Srikant.

By the way I had downloaded the file (http://www.staff.uiu...rce.htm#IESPYAD) long time ago, but I don't know how much it is helpling me! :huh:

#14 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 21 May 2004 - 01:31 PM

It gets updated every month or so... Uninstall it and install the new version again... On the download page you can read how to uninstall it...

Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button