Tech Support Forum banner
Status
Not open for further replies.

Browser Hijacking won't go away.

1K views 9 replies 4 participants last post by  MicroBell 
#1 ·
I have gotten rid of most of the spyware via Microsoft's Anti-Spyware and Adware's program but can't seem to clean up my browser (Can't get rid of the R1 dll's that keep re-installing. Also, I keep getting explorer.exe errors when I try to open navigate my hard drive via windows explorer. Here is my Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:13 AM, on 7/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
c:\mssql7\binn\sqlservr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
c:\mssql7\binn\sqlagent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINNT\system32\d3sa32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\WINNT\system32\ipxu.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\mssql7\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Documents and Settings\bkirkpatrick\Desktop\kav5.0trial_personalen.exe
C:\kav\personal\english\kav5.0.325_personalen.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\bkirkpatrick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\glbfy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bell Gardens Police Department
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = PROXY:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {A6818BE3-FEAD-3991-C969-BD3EAF9DA819} - C:\WINNT\system32\ieaw32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [UpConfgVer] "C:\Program Files\Panda Software\Panda Antivirus Platinum\UpgConf.exe" /v:7.05.07
O4 - HKLM\..\Run: [ipxu.exe] C:\WINNT\system32\ipxu.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\mssql7\Binn\sqlmangr.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://testserver.bgpd.local
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) - https://onsite.verisign.com/services/CommissiononPOSTInformationServicesBureau/vspta3.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://testserver/codec/tsccinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGPD.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGPD.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BGPD.LOCAL
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\d3sa32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\OLYMPUS\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

Thanks, Brendan
 
See less See more
#2 ·
Hi Brendan, and Welcome to TSF!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that 'Show hidden files and folders' is checked under the 'Hidden Files and Folders' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types' or 'Hide protected operating system files'.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. We will use this later.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.sfx.exe We will use this later.

First Click here to download cwsserviceremove.zip and unzip it to your desktop. Do not run it now.

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINNT\system32\d3sa32.exe
C:\WINNT\system32\ipxu.exe


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\glbfy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\glbfy.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\glbfy.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A6818BE3-FEAD-3991-C969-BD3EAF9DA819} - C:\WINNT\system32\ieaw32.dll
O4 - HKLM\..\Run: [ipxu.exe] C:\WINNT\system32\ipxu.exe
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\d3sa32.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\glbfy.dll
C:\WINNT\system32\ieaw32.dll
C:\WINNT\system32\ipxu.exe
C:\WINNT\system32\d3sa32.exe


Doubleclick on the cwsserviceremove.reg you saved to your desktop. Click on yes, when it asks you to merge.

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Run CWShredder. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Run Adaware and have it fix whatever problems it may find.

Restart and run a new HijackThis scan. Save the log file and post it here.
 
#3 ·
Can't post any logs becaue I can't logon in "regular mode" anymore. Safe mode is OK but in regular mode, I get a "blue screen of death" with a TCPIP error. The Network Security Service was found but would give me a "general internal error" when I tried to access it. Also, the CWShredder would "hang" when executed and would not run. Adaware found 1 possible browser hijack and manually, GLBFY.DLL and IPXU.EXE were removed. IEAW32.DLL and D3SA32.EXE were not found on the hard drive.

Any suggestions to avoid the blue screen of death?
 
#4 ·
Let's see if we can sneak around the corrupted files.

Do all of the below in safe mode.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
 
#5 · (Edited)
I can't get a pasted file to here but here is the summary:

MWAV found the following (but no specific location listed):

Bargain Buddy Spyware Found in File System - No Action Taken
Alexa Spyware Found in File System - No Action Taken
Altnet Spyware Found in File System - No Action Taken
MySearch Spyware Found in File System - No Action Taken

I ran Adware and Microsoft and they were clean with no detections for any of the above referenced spyware found by MWAV :3-smash:


TSC found a couple of duplicate file extensions and nothing else.

Windows still B.S.O.D. with the TCIP.SYS listed and the statement of "IRQL_NOT_LESS_OR_EQUAL" at the top. Windows loads into my Desktop and the icons appear but after 10 seconds, whammy! Blue Screen of Death.

Brendan
 
#6 ·
Try running sfc /scannow from the run box in safe mode and look for missing/corrupt system files. I'm a little concerned the OS may have already been corrupt when you started this fix. What explorer.exe error did you get prior to running this fix?

Check your device manager and see if there are any conflicts.
 
#7 ·
The computer would give a generic error message box and the screen would refresh the desktop. Before, I could never get past my desktop screen. Anytime I would try to go into a folder, explorer, my computer, etc., I would get a prompt box that would just say explorer.exe error and then the screen refresh. I will try to run the "sfc /scannow from the run box" in the AM and see if anything works. If not, I will try a windows re-install.

Brendan
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top