Browser Hijack

Discussion in 'adware, spyware & hijack cleaning' started by Metmetpiemel, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. Metmetpiemel

    Metmetpiemel Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    5
    Hi i when i start IE i get a search for.. page while i have about:blank..
    I used adaware spybot S&D and tried to use spywareblaster3.1 but it said bad sector etc.

    hmm in local settings temp internet files it has a file called sp.html and it switches back to this one everytime when i delete it and start IE it's back

    Here is my log i hope someone can help me with this problem

    Code:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:21:42, on 28-6-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\RegCleaner\RegCleanr.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Documents and Settings\Meester\Desktop\Torraetota\HijackThis.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FAB498CC-FCD8-4345-B332-6F8299EAA85B} - C:\WINDOWS\System32\nicko.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url]
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38134.3334722222[/url]
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - [url]https://gto.postbank.nl/GTO/PBGNX.cab[/url]
    
     
    Last edited: Jun 28, 2004
  2. Metmetpiemel

    Metmetpiemel Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    5
    Can anyone please help me ? i also get "remove spyware popups" at some websites like hotmail and stuff
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    You could have chosen a username that was a bit less childish.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Meester\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

    O2 - BHO: (no name) - {FAB498CC-FCD8-4345-B332-6F8299EAA85B} - C:\WINDOWS\System32\nicko.dll

    Then delete:
    C:\WINDOWS\nsdb <= the entire folder.

    Copy the contents of the bold text to Notepad.
    Name the file Appinit.bat
    Save as type *All Files*
    Save on the Desktop.

    Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
    ren windows1.hiv windows.txt


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Post the content please.

    Regards,

    Pieter
     
  4. Metmetpiemel

    Metmetpiemel Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    5
    Thank you very much and sorry bout the name ;)

    ive done all u said and this is what the window.txt showed

    Code:
    regf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Pugf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                hbin                           ¨ÿÿÿnk, l¦ŸxŠ\Ä    ÿÿÿÿ        ÿÿÿÿÿÿÿÿ   8  x   ÿÿÿÿ        0   <   $      Windows Èþÿÿsk  x   x         ”             ì 
                     !   
        €         !                #   
        €         #     ?               
                       ?           
                   ?               
                                         Øÿÿÿvk <   Ø      fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ k b d o a . d l l      °  Ðÿÿÿvk    P      ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5    Ø(ÍWðÿÿÿ9 0     ! Ðÿÿÿvk   €'      zGDIProcessHandleQuota"þàÿÿÿvk    À      °ºSpooler2ðÿÿÿy e s   À    °     p  *  è  àÿÿÿvk   €        =pswapdiskÐÿÿÿvk    `      R¿TransmissionRetryTimeoutàÿÿÿ°     p  *  è    X  Ðÿÿÿvk   €'        USERProcessHandleQuota  x                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    This is the (hidden file we have to get rid off:
    C:\WINDOWS\System32\kbdoa.dll

    I will offer you two options:

    1. the Recovery Console in Windows XP

    2. If you end up having permissions issue even with Recovery console, proceed with this.

    Download CWShredder:
    http://www.spywareinfoforum.com/downloads/tools/CWShredder.exe
    But do not run it yet.

    Then copy into notepad
    Code:
    @echo off 
    Echo Working
    
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
    If ERRORLEVEL==1 GoTo End  
     GoTo DOIT
    :End
    
     echo >not.vbs MsgBox "No Appinit_Dlls value Present" ^& vbcrlf ^& "Removal Aborted"
    Wscript.exe not.vbs
    del not.vbs
    Exit
    
    :DOIT
    If exist backup.hiv del  backup.hiv
    If exist f.hiv del f.hiv
    
    reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" backup.hiv
    :one
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    if not exist backup.hiv goto one
    
    Reg Delete  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f
    
    
    Reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    :Notthere
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows"
    IF ERRORLEVEL ==1 Go to Notthere
    
    reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" backup.hiv
    
    :two
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls 
    IF ERRORLEVEL==1   GOTO two
    
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls /f
    :appy
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /v Appinit_Dlls
    If Not ERRORLEVEL==1   GOTO appy
    
    Reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" f.hiv
    :three
    
    PING 1.1.1.1 -n 4 -w 1000 >NUL
    if not exist f.hiv GOTO three
    
    Reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows" /f
    
    Reg Add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    :four
    
    PING 1.1.1.1 -n 1 -w 1000 >NUL
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    If ERRORLEVEL==1 GOTO  four
    
    :five
    
    
    
    PING 1.1.1.1 -n 2 -w 1000 >NUL
    Reg Restore "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" f.hiv
    Reg Query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v USERProcessHandleQuota
    If ErrorLevel==1  GOTO five
    
    If exist f.hiv ren f.hiv fbackup.hiv
    
    Echo > finished.vbs MsgBox "Done"
    Wscript.exe finished.vbs
    del finished.vbs
    
    
    
    and save this as hiving.bat

    Sign off the internet and stay off until all of these steps have been completed.

    Double click on the batch to run it. Then Reboot.
    (If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.)
    After a reboot the super hiden nasty file will no longer be loaded and will be visible.

    Find this file:
    C:\WINDOWS\System32\kbdoa.dll

    Right click on the file. Click Properties
    from the menu.
    Uncheck the Read Only box.
    Delete the file.
    Once you have successfully deleted the file:

    Run CWShredder immediately.
    Press the fix button to clean.
    Reboot.

    Then run Ad-Aware as described here: https://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  6. Metmetpiemel

    Metmetpiemel Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    5
    Thnx ive done everything u said but i can't untick the read only at kbdoa.dll it says Acces denied. can you please tell me what to do?
     
  7. Metmetpiemel

    Metmetpiemel Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    5
    Please anyone? :'(
     
Thread Status:
Not open for further replies.