Browser Hijack

Metmetpiemel · #1 June 28th, 2004, 09:17 AM

Hi i when i start IE i get a search for.. page while i have about:blank..
I used adaware spybot S&D and tried to use spywareblaster3.1 but it said bad sector etc.

hmm in local settings temp internet files it has a file called sp.html and it switches back to this one everytime when i delete it and start IE it's back

Here is my log i hope someone can help me with this problem

Code:

Logfile of HijackThis v1.97.7
Scan saved at 11:21:42, on 28-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\RegCleaner\RegCleanr.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Meester\Desktop\Torraetota\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FAB498CC-FCD8-4345-B332-6F8299EAA85B} - C:\WINDOWS\System32\nicko.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...134.3334722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

Metmetpiemel · #2 June 28th, 2004, 09:47 AM

Can anyone please help me ? i also get "remove spyware popups" at some websites like hotmail and stuff

Pieter_Arntz · #3 June 28th, 2004, 09:55 AM

You could have chosen a username that was a bit less childish.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O2 - BHO: (no name) - {FAB498CC-FCD8-4345-B332-6F8299EAA85B} - C:\WINDOWS\System32\nicko.dll

Then delete:
C:\WINDOWS\nsdb <= the entire folder.

Copy the contents of the bold text to Notepad.
Name the file Appinit.bat
Save as type *All Files*
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Post the content please.

Regards,

Pieter

Metmetpiemel · #4 June 28th, 2004, 10:04 AM

Thank you very much and sorry bout the name

ive done all u said and this is what the window.txt showed

Code:

regf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Pugf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                hbin                           ¨ÿÿÿnk, l¦ŸxŠ\Ä    ÿÿÿÿ        ÿÿÿÿÿÿÿÿ   8  x   ÿÿÿÿ        0   <   $      Windows Èþÿÿsk  x   x         ”             ì 
                 !   
    €         !                #   
    €         #     ?               
                   ?           
               ?               
                                     Øÿÿÿvk <   Ø      fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ k b d o a . d l l      °  Ðÿÿÿvk    P      ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5    Ø(ÍWðÿÿÿ9 0     ! Ðÿÿÿvk   €'      zGDIProcessHandleQuota"þàÿÿÿvk    À      °ºSpooler2ðÿÿÿy e s   À    °     p  *  è  àÿÿÿvk   €        =pswapdiskÐÿÿÿvk    `      R¿TransmissionRetryTimeoutàÿÿÿ°     p  *  è    X  Ðÿÿÿvk   €'        USERProcessHandleQuota  x

Pieter_Arntz · #5 June 28th, 2004, 10:16 AM

This is the (hidden file we have to get rid off:
C:\WINDOWS\System32\kbdoa.dll

I will offer you two options:

1. the Recovery Console in Windows XP

2. If you end up having permissions issue even with Recovery console, proceed with this.

Download CWShredder:
http://www.spywareinfoforum.com/down...CWShredder.exe
But do not run it yet.

Then copy into notepad

Code:

@echo off 
Echo Working

Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
If ERRORLEVEL==1 GoTo End  
 GoTo DOIT
:End

 echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
Wscript.exe not.vbs
del not.vbs
Exit

:DOIT
If exist backup.hiv del  backup.hiv
If exist f.hiv del f.hiv

reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
:one

PING 1.1.1.1 -n 2 -w 1000 >NUL
if not exist backup.hiv goto one

Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f


Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
:Notthere

PING 1.1.1.1 -n 2 -w 1000 >NUL
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
IF ERRORLEVEL ==1 Go to Notthere

reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv

:two

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
IF ERRORLEVEL==1   GOTO two

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
:appy

PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
If Not ERRORLEVEL==1   GOTO appy

Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
:three

PING 1.1.1.1 -n 4 -w 1000 >NUL
if not exist f.hiv GOTO three

Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f

Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
:four

PING 1.1.1.1 -n 1 -w 1000 >NUL
Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
If ERRORLEVEL==1 GOTO  four

:five



PING 1.1.1.1 -n 2 -w 1000 >NUL
Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
If ErrorLevel==1  GOTO five

If exist f.hiv ren f.hiv fbackup.hiv

Echo > finished.vbs MsgBox "Done"
Wscript.exe finished.vbs
del finished.vbs

and save this as hiving.bat

Sign off the internet and stay off until all of these steps have been completed.

Double click on the batch to run it. Then Reboot.
(If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.)
After a reboot the super hiden nasty file will no longer be loaded and will be visible.

Find this file:
C:\WINDOWS\System32\kbdoa.dll

Right click on the file. Click Properties
from the menu.
Uncheck the Read Only box.
Delete the file.
Once you have successfully deleted the file:

Run CWShredder immediately.
Press the fix button to clean.
Reboot.

Then run Ad-Aware as described here: http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

Metmetpiemel · #6 June 28th, 2004, 10:55 AM

Thnx ive done everything u said but i can't untick the read only at kbdoa.dll it says Acces denied. can you please tell me what to do?

Metmetpiemel · #7 June 28th, 2004, 01:39 PM

Please anyone?

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search