Home page keeps changing...

Discussion in 'adware, spyware & hijack cleaning' started by koss, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. koss

    koss Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    Hello all, great place guys !

    I followed instructions here to the letter
    https://www.wilderssecurity.com/showthread.php?t=15913

    but my home page still changes......

    Here is the log from HiJackThis
    Figured I'd ask before I start fixing what I think is wrong

    Thanks for your help guys.


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\test\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {22115975-F01C-4173-906A-83DBE9E69D93} - C:\WINDOWS\System32\bcj.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/159be0968bfc761b5922/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7836111111
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
     
  2. koss

    koss Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    anybody
     
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello Koss,

    Well, this is not easy to get rid of. It may take more than one way to get rid of, but let's start with this. Print this to follow after you have downloaded the two programs.

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm (Don't run yet)

    If you don't have Adaware, then download it from here:
    http://www.lavasoftusa.com/support/download/#free
    Open Adaware and check for updates for the reference file but do not scan yet, just close after the update.

    Close all windows except HijackThis and fix these lines. Don't reboot after clicking on Fix.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\haase\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {22115975-F01C-4173-906A-83DBE9E69D93} - C:\WINDOWS\System32\bcj.dll

    Now, click on the APM program you downloaded first.
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\bcj.dll
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware (the second program you downloaded)

    Reboot and post a new HJT log here.
     
  4. koss

    koss Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    Thanks for your responce Tazz

    I will do so this evening as Im at the office and not at home....


    Koss
     
  5. koss

    koss Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    This is what my log looks like now Taz
    By the way CWS managed to delete dcj.dll on my dektop the other night.

    But I still ran your suggested fix incase.
    Please have a look and tell me if this is ok now.

    Thanks again Taz.

    Koss

    Logfile of HijackThis v1.97.7
    Scan saved at 7:11:17 PM, on 29/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\NavNT\vptray.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/159be0968bfc761b5922/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7836111111
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
  7. koss

    koss Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    Hey Taz,

    Thanks again dude....


    Funny thing, my home page changed again Today.
    I run adware and HIJACKTHIS evertime now before I shut down...incase.
    Did so last night and it was fine. Cookies are disabled, Directx (scripting) I get prompted and History gets auto deleted in IE but always double check.

    I booted home PC for the first time today, Visted a gaming forum Ive been part of for the last 4 years anyways...

    Click on the link to this forum from favorites folder and bang that same blank URL and that damn search page again........

    No bcj.dll this time around....
    Ran adware, no updates found spyware again...and Ive been good if u know
    what I mean, basically played online games all night and that was it last night.




    Here is my log again after NO BCJ.DLL Was found
    Ran adware(no updates), Reboot


    and here is my log now....
    Gonna Reformat next time around...


    Logfile of HijackThis v1.97.7
    Scan saved at 9:26:25 PM, on 30/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Documents and Settings\haase\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7836111111
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2059647C-CD21-4ADA-AAB5-C22CD64C046B}: NameServer = 24.200.243.242,24.204.245.114
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hi,

    Log looks good. I would like you to go to this link and follow the suggestions:

    https://www.wilderssecurity.com/showthread.php?t=27971

    After changing your IE settings that the page suggests, let me know how things are working for you. You can change your homepage back to what you want it, reboot and tell me if your homepage comes up or if something else does.
     
Thread Status:
Not open for further replies.