Homepage Hijacker problem, VERY TRICKY!

Discussion in 'adware, spyware & hijack cleaning' started by zacktech, May 12, 2004.

Thread Status:
Not open for further replies.
  1. zacktech

    zacktech Registered Member

    Joined:
    May 11, 2004
    Posts:
    24
    Location:
    arizona
    Hi all, this is a common problem I'm sure, so if you would just point me to the proper thread that would be nice, otherwise, let's figure this one out.
    BTW, I consider myself very tech savvy (I'm a technician by trade), so no need to make long explanations for me.

    Here's the deal. The other day I got hijacked by something. Many many trips to security forums all over have pointed my problem to CWS, but it goes deeper than that.
    I was using AVG antivirus then, and have since moved to NOD32, and now to the latest version of Panda Titanium (great AV :D )
    This problem is very similar to what others have been going through. HJT reports a bunch of DLLs in the System32 folder, but when you remove them, they come back later. My current DLL name is hdj.dll, but others across various forums have been the same, only with random DLL names.
    I can remove the DLL easy enough, but it comes back, which suggests that it's in memory, but where?
    The other end of it is this, the homepage keeps getting set to about:blank, which redirects to a search page. I can remove enough stuff with CWShredder, HJT, and registry editing to get rid of it, but it will come back.

    Here is the twist, now that I have Panda on here, at least once a day it will pop up saying it neutralized a virus called "Trj/Startpage.DI" and the file name is the same random DLL that HJT finds. Only HJT reports the DLL as "obfuscated" or "deleted" (when I check it after Panda removes it).

    This leads me to think that this particular problem may still be CWS, but I'm leaning more towards the virus Startpage.DI. But how does it keep getting back in here??

    Some more of my research has led me to think this could also be a variant of the "Gaobot" virus, in whatever form. But Panda doesn't find that. It would make sense though, because I've been seeing this virus hand-in-hand with the Sasser virus going around. And being that I'm a tech, and fixing this virus every day, maybe somehow my machine got it? Even with my AV running.

    Now the big question is, has anybody found out where the ROOT of this is? I can remove stuff with HJT, with CWShredder, in the registry, with a virus scan, deleting the hosts files, removing the DLL, but it comes back, at least once a day. Where else could it be hiding?

    I have a file called homepage.inf in the system32 folder, which some posters have as well, but it makes no mention of "about:blank" or the redirected page. It does however, use system variables like %FirstHomePage% and
    %SHORTCUT_UPDATE%. Not sure what this file is for. But seeing as how it's an INF file, it could easily be used to "install" whatever onto my machine. But how would it be called? What is installing homepage.inf? If that's even the problem.

    I've also read that these hijackers can hide right inside your winsock files, thus you have to remove and reinstall all your protocols and adapters as well as run an LSP fixing program to get rid of it. Or perhaps it's a inherent problem with XP, like somewhere in its driver cache or something, it will reinstall the original file from somewhere.

    This is a hard problem to track down, and because the virus only reappears maybe once a day, it's hard to test whether a fix worked or not. Here are a few of its entries in my HJT log:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hdj.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {0AC472ED-E417-411A-ACEE-F9B551ADF91E} - C:\WINDOWS\System32\hdj.dll (file missing)

    This is after Panda neutralizes it.

    So then, my fellow spyware haters, has anyone found the root of this problem yet? Or how this one virus keeps reloading itself every day?

    (PS. Another problem I'm having is that I downloaded Spywareblaster but get the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." And this has, from what I've seen, always been caused by CWS. But are my two problems related? Perhaps there is a DLL somewhere that needs to be reregistered. Not sure)

    Thanks everybody for your future help in this.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. zacktech

    zacktech Registered Member

    Joined:
    May 11, 2004
    Posts:
    24
    Location:
    arizona
    Thanks for the tip. After reading some of that, what it sounds like is that there is yet another DLL, a "super hidden" DLL, which reloads the first DLL when it's reconnected to the Internet. This sort of behavior could mean that it is, like I thought, hijacked right into the winsock and/or networking protocols.

    The only other thing would be that this first DLL is listed somewhere in the registry like in the shared DLLs or VXDs area. And to remove it would mean you have to identify the DLL, remove it's entries in the registry, and perhaps reload your winsock.

    I had to fix this on a customer's laptop three times, I would fix it and over days it would be good, I could restart and it would still be fine. But somehow, on a COLD boot, that is, from OFF to ON, that's when it would come back. Not just from a restart. Which was very strange. And I did have to run some LSP fixers on that to get rid of it.

    I'd like to help in researching this. If my virus/cws comes back again, I'd like to have some sort of program running that monitors system activity in real time. So as soon as my Panda finds the virus again, i can go through the logs and find out what changed on my HDD and registry. That would give me a better idea of what's going on. Is there such a tool? It would tell me what changes were made in the registry, and what files were copied to the HDD. Then I'll post back here with results.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    This may be what you are looking for:

    http://www.devhood.com/tools/tool_details.aspx?tool_id=432

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.