Jump to content


Photo

I need your help (Browser Hijacked)


  • Please log in to reply
12 replies to this topic

#1 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 04 August 2004 - 09:35 AM

Hi,

Originally I could not remove this spyware that sets your homepage to

res://halth.dll/index.html#96676

When you change it, it changes back. It prevents me from doing a system restore (TO ANY POINT!!) and constantly replicates if deleted.

Now I get pop-ups, etc. I want it off my system but ad-aware, spybot and spyware doctor cannot get it off my system

Spydoctor says the "BHO" is C:\\windows/sdkxk.dll.


Anyways, I then targeted sdkxk.dll as the main source of the problem. When it is forced to delete, it comes back 5 seconds later....and so do all of the problems.

Things it has added to my computer (names found using uninstall feature in spybot, they still do not delete though--come back);

" Home Search Assistant rundll32 url.dll, FileProtocolHandler http://looking-for.c...hAssistant.html "

"Search Extender (SE) uninstall cmd: rundll32 url.dll, FileProtocolHandler http://looking-for.c...chExtender.html "

" Shopping Wizard (SW) uninstall cmd: rundll32 url.dll, FileProtocolHandler http://looking-for.c...pingWizard.html "


I then used HIKACK this and SEEMED to eliminate the problem. However, although the evil parts are gone, it is not clean 100%. I keep noticing a program called winge.exe appearing in HIJACK THIS......I have no idea what this is.

Also, at the top of every browser....it does not say "Microsoft Internet Explorer"

i/e on www.yahoo.com the top bar only says

Yahoo! -

when it should be

Yahoo! - Microsoft Internet Explorer

I am not sure if my system restore feature is fixed, chances are it is not. I am not home at the moment but as soon as I am I will check.

Any help is appreciated in completely eliminating this problem.

Thank-You

#2 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 04 August 2004 - 10:11 AM

Please help me.

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 August 2004 - 11:00 AM

  • HijackThis ...
  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.


#4 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 04 August 2004 - 11:17 AM

Thanks for the instructions, I will do this as soon as I get home in about 5 hours. I am thankful that you may be able to help.

Would this restore my system restore feature as well?

#5 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 August 2004 - 11:19 AM

We'll deal with that once I see the log - During fixes we sometimes disable the system restore and the reenable it after the fix is complete.

#6 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 04 August 2004 - 04:50 PM

DELETED

Edited by Need Help, 09 August 2004 - 08:28 AM.


#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 August 2004 - 09:06 AM

There is not much showing in your log ... After the following, reboot and wait a few hours and then reboot again. Post an updated log at that time. Sometimes these infections hide themselves for a specified time frame.
  • Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)
  • Click on "Config" in the bottom right corner of the HijackThis window.
  • Make sure that the "Main" tab is selected at the top.
  • Place a checkmark in the box labelled "Make backups before fixing items".
  • Click on "Back" in the bottom right corner.
  • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
  • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AEF31B04-E4D2-E8D3-9366-37404CC10854} - C:\WINDOWS\sdkvi.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
[*]Please reboot into safe mode - How do I boot into "Safe" mode?
[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
  • DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • DIRECTORIES
    • Nothing to Delete
  • FILES
    • C:\WINDOWS\sdkvi.dll
[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.
[/list]

#8 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 09 August 2004 - 08:27 AM

Problem did not go away, had to re-install XP (since it would not even load windows).

Thanks for trying though.

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 09 August 2004 - 10:40 AM

That sounds really strange - Would not load windows? Do you recall what stage it got to in the boot process, if you had any errors etc?

#10 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 09 August 2004 - 01:51 PM

I would turn the computer on, then 3 seconds later it would restart.

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 09 August 2004 - 03:15 PM

That sounds very much like a sasser infection. Have you already reformatted your computer? i.e. Is it too late to fix the virus?

#12 Need Help

Need Help

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 12 August 2004 - 09:27 AM

Sadly it is too late.

#13 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 12 August 2004 - 10:07 AM

That is too bad ... Have you already set up your new O/S etc? If so, post a HijackThis log and I'll make sure it is clean and then give you a few things to keep it clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button