• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Cisc0Kid

res://upvdf.dll/index.html#37049

3 posts in this topic

First off, Thanks goes out to rubberducky for taking the time to address problems like these.

 

I've followed each instruction to the letter in an attempt to rid my machine of this hijack variant, to no avail... :weep:

 

 

I reboot after thinking it's gone for good , and BAM...there it is again, rearing it's ugly head. Has anyone successfully deleted the sp.html variant for good?

 

THANKS IN ADVANCE!!!!!!

 

Here's my logs:

 

Logfile of HijackThis v1.98.0

Scan saved at 4:26:35 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\system32\winig.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\system32\ievh32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Documents and Settings\Peter\Desktop\Spyware Tools\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://btlyt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://btlyt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://btlyt.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - C:\WINDOWS\system32\javaic.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [winig.exe] C:\WINDOWS\system32\winig.exe

 

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\btlyt.dat

Removed! : C:\WINDOWS\btlyt.dll

Removed! : C:\WINDOWS\System32\lnhig.dll

Removed! : C:\WINDOWS\System32\rrjjj.dat

Removed! : C:\WINDOWS\System32\skpmt.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

Edited by Cisc0Kid

Share this post


Link to post
Share on other sites

Yeah, shouldnt be coming back after Buster removes everything completely. Just for a look see. Could you please locate these files.

 

C:\WINDOWS\system32\winig.exe

C:\WINDOWS\btlyt.dll

C:\WINDOWS\system32\javaic.dll

 

Zip them all up together and send them to here. Dont delete them yet.

 

Then reboot into safe mode. Directions here.

 

Run Hijack This and tick the boxes next to these items.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://btlyt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://btlyt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btlyt.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://btlyt.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - C:\WINDOWS\system32\javaic.dll

O4 - HKLM\..\Run: [winig.exe] C:\WINDOWS\system32\winig.exe

 

Close all windows and hit fix checked. Now run About:Buster 2 times to make sure everything is gone.

 

Make sure..

 

C:\WINDOWS\system32\winig.exe

C:\WINDOWS\btlyt.dll

C:\WINDOWS\system32\javaic.dll

 

Are now deleted.

 

Reboot into normal mode and post a new Hijack This log.

Share this post


Link to post
Share on other sites

First re-run after safe mode method "adaware/HJT/aboutbuster". DLL changed to another random name "upvdf.dll"

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 6:37:22 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

c:\program files\mcafee.com\agent\mcagent.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Documents and Settings\Peter\Desktop\Spyware Tools\HijackThis.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Peter\Desktop\Spyware Tools\KillBox.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvdf.dll/sp.html#27063

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://upvdf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://upvdf.dll/index.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\upvdf.dll/sp.html#27063

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\upvdf.dll/sp.html#27063

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://upvdf.dll/index.html#27063

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - C:\WINDOWS\system32\javaic.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

 

BUSTER:

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\oenzx.dat

Removed! : C:\WINDOWS\upvdf.dat

Removed! : C:\WINDOWS\upvdf.dll

Removed! : C:\WINDOWS\System32\pxtbz.dat

Removed! : C:\WINDOWS\System32\skvfg.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Funny thing is that these files weren't found in search:

 

C:\WINDOWS\system32\winig.exe

C:\WINDOWS\system32\javaic.dll

 

After going through the whole process again, the dll changed name to "skvfg.dll".

 

Logfile of HijackThis v1.98.0

Scan saved at 6:45:00 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Peter\Desktop\Spyware Tools\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skvfg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\skvfg.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skvfg.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {8605E933-BF9A-38BC-F3EC-5B9BFA9CFEB4} - C:\WINDOWS\system32\javaic.dll

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

 

 

 

So I started from scratch again in safe mode using adaware/HJT/aboutbuster and then used killbox to find and get rid of winig.exe & javaic.dll & skvfg.dll.

 

I then deleted two more "dll's" :

 

C:\WINDOWS\msopt.dll & C:\WINDOWS\wsem217.dll

 

This finally got rid of the hijack variant.

 

THANKS AGAIN FOR ALL YOUR WORK ON ABOUT:BUSTER!!!!

 

Hope those files I sent can be added to the list of suspect files.

Edited by Cisc0Kid

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0