Search Redirections And 404 Pages

tyrael98 · 05-06-2008, 08:54 AM

Hi everyone!

This is a problem I'm been wrestling with for the 3rd day. I'm desperate!

What seems to be the problem is that there's some sort of a hijacker / malware / outer space virus hybrid that's trying to take me over.
First, I noticed that when I try to google or yahoo something, the first result on the first page is always redirected to a site http://encyclopedia.thefreedictionary.com/<whatever I was searching>/
(and at some times, I bump into a different site this way as well).
I can open cached versions of sites, and everything else seems to work except for this. This problem only appears on IE. Firefox's doing fine.

Also, when I tried to look for help on certain sites, they give me a 404 error (page cannot be displayed), most notibly windows update, or mayorgeeks.com. And this problem is browser independent, since firefox can't show them either. (I have to view this page on a different computer) For the same reason , I couldn't download Combofix , cause all the mirror sites I've been trying were one of these '404' sites. I tried to download it from another computer, and then copy it to me, but then the exe file wont do anything. No doubleclicks, no cmd command execution, no nothing. It just sits there.

I don't know if it has to do with anything, but I was having quite a fight lately with a virus called Diehard.d and his offspring Vundo. I'm still seing some (undeletable) legacy registries in regedit from the formers files.

Here's a list of programs I've tried to kill this son of a b.i.t.c.h. (obviously of no avail):

HijackThis
Scan Spyware
Ad-Aware
Spybot S&D
CCleaner
SUPERAntiSpyware
VundoFix
VirtumondoBegone
RogueRemover
SDFix
Security Task Manager
COMODO BOClean

(I'm having quite an arsenal on my computer. I even went so far to learn half of the regedit tree. Now I can even rewrite the registry for IE7's Search toolbar

).

All the above either said I'm clean and safe, or deleted stuff that had little effect. Except for Scan Spyware, which still gives me a result labeled '204.agent', and said its the file c:\Windows\system32\clbdll.dll.
Problem is, there is no such thing in my system32 folder. And here's a little something wich simply gives me the creeps. Whenever I try to paste or write the line c:\Windows\system32\clbdll.dll into the notepad, it replaces it automaticly to c:\Windows\system32\cdosys.dll. WTF???
If i paste it to word, nothing. If I import the same line from notepad to word, It turns back to clbdll.dll. I don't think this is normal! Someone Please Help!!!

Here's my HijackThis log. (Chello's my internet provider, don't bother with those lines. Yea, it's european.

)

Logfile of HijackThis v1.99.1
Scan saved at 17:36:00, on 2008.05.06.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.chello.hu/autoconfig/huhu.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.hu:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Letöltés -> Download &Express - C:\Program Files\Download Express\Add_Url.htm
O11 - Options group: [international] International*
O14 - IERESET.INF: START_PAGE_URL=http://home.hun.chello.hu
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamste...gameloader.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://unikum-angyal.spaces.live.com...d/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Windows firewall/internet connenction sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

05-06-2008, 08:54 AM	#1 (permalink)
tyrael98 Registered User Join Date: May 2008 Posts: 1 OS: Windows XP Home SP2	Search Redirections And 404 Pages Hi everyone! This is a problem I'm been wrestling with for the 3rd day. I'm desperate! What seems to be the problem is that there's some sort of a hijacker / malware / outer space virus hybrid that's trying to take me over. First, I noticed that when I try to google or yahoo something, the first result on the first page is always redirected to a site http://encyclopedia.thefreedictionary.com/<whatever I was searching>/ (and at some times, I bump into a different site this way as well). I can open cached versions of sites, and everything else seems to work except for this. This problem only appears on IE. Firefox's doing fine. Also, when I tried to look for help on certain sites, they give me a 404 error (page cannot be displayed), most notibly windows update, or mayorgeeks.com. And this problem is browser independent, since firefox can't show them either. (I have to view this page on a different computer) For the same reason , I couldn't download Combofix , cause all the mirror sites I've been trying were one of these '404' sites. I tried to download it from another computer, and then copy it to me, but then the exe file wont do anything. No doubleclicks, no cmd command execution, no nothing. It just sits there. I don't know if it has to do with anything, but I was having quite a fight lately with a virus called Diehard.d and his offspring Vundo. I'm still seing some (undeletable) legacy registries in regedit from the formers files. Here's a list of programs I've tried to kill this son of a b.i.t.c.h. (obviously of no avail): HijackThis Scan Spyware Ad-Aware Spybot S&D CCleaner SUPERAntiSpyware VundoFix VirtumondoBegone RogueRemover SDFix Security Task Manager COMODO BOClean (I'm having quite an arsenal on my computer. I even went so far to learn half of the regedit tree. Now I can even rewrite the registry for IE7's Search toolbar ). All the above either said I'm clean and safe, or deleted stuff that had little effect. Except for Scan Spyware, which still gives me a result labeled '204.agent', and said its the file c:\Windows\system32\clbdll.dll. Problem is, there is no such thing in my system32 folder. And here's a little something wich simply gives me the creeps. Whenever I try to paste or write the line c:\Windows\system32\clbdll.dll into the notepad, it replaces it automaticly to c:\Windows\system32\cdosys.dll. WTF??? If i paste it to word, nothing. If I import the same line from notepad to word, It turns back to clbdll.dll. I don't think this is normal! Someone Please Help!!! Here's my HijackThis log. (Chello's my internet provider, don't bother with those lines. Yea, it's european.) Logfile of HijackThis v1.99.1 Scan saved at 17:36:00, on 2008.05.06. Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Comodo\CBOClean\BOC426.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe D:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.chello.hu/autoconfig/huhu.ins R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.hu:8080 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Letöltés -> Download &Express - C:\Program Files\Download Express\Add_Url.htm O11 - Options group: [international] International* O14 - IERESET.INF: START_PAGE_URL=http://home.hun.chello.hu O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamste...gameloader.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://unikum-angyal.spaces.live.com...d/MsnPUpld.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Windows firewall/internet connenction sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing) O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe