"Only the best" / Home search assistent Variants and Page hijack list

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DarkAngel_ZERO, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Ok guys, with a ton of threads on this, I wanted to make a single thread dedicated to identifying this bastard's variants. We've all come here because of this thing...let's work together to track it down and kill it.

    Note: this list will be updated with each new identification that is posted.

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll

    Items in Uninstall List:
    Home Search Assistent

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional (tries to re-install program)



    Alright eggheads...let's see if we can find a good way to kill it.
     
  2. tommyd1973

    tommyd1973 Private E-2

    Re: "Only the best" / Home search assistant Variants and Page hijack list

    A success story from a total novice (to give others hope)

    i had (i say had, but i'm not sure) a variant of this with fkxmn.dll showing up in my browser homepage. It was doing all the same stuff people here have been talking about and I've spent two days chasing it down- and in the process learning about many things including this forum. I ran Search and Destroy and for awhile it identified but was unable to fix something DyFuCA related. But that eventually went away. I installed and ran Ad Aware. It identified and fixed alot of stuff but no help with respect to this thing. I also installed and ran SpyWareBlaster and SpyWareGuard. They kept telling me that soemthing was trying to change my homepage and search pages and write files into the registry (that's apparently what they do). I installed and ran HijackThis and had it fix two things I obviously knew needed the boot because I recognized them as renegade file names. You see, I had noticed that every five minutes, new 9kb programs with all kinds of random four or five letter names were appearing in my windows/system or windows/system 32 folder. I kept delteing them, but new ones would appear. (I had the computer on overnight and there were hundreds of them!) I knew they had to be bogus because they had just appeared in the past 2 days and if I right clicked and looked under properties there was no version tab. Some wouldn't delete though and I couldn't shut them down through task manager- access denied. So i went into safe mode and delted them (which was a bitch because for some reason my mouse wasn't working in safe mode) and deleted a .dll file that had appeared in the past two days but also had no version tab in properties and.... ....upon reboot..... problem gone!!! (I hope!). there are no meesages from my SpyWareBlaster and SpyWareGuard programs, no mysterious windows popping up. I was going to post my hijack this log here, but apparently i don't need to now. I'll be sure to post it here should ther problem return. I hope you all get these bastards!
     
  3. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Updates guys (because I can't seem to edit my own post anymore). Here we go:

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll

    Items in Uninstall List:
    Home Search Assistent

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional (tries to re-install program)
    Norton Internet Security 2004 (causes occasional program component failures, sometimes results in restarts upon an initiated scan)

    How this thing works (speculations):
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#****", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing
    • New search window is opened when a google or msn search is attempted
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll)
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Creates bogus registry keys.
    • Hides itself when in safemode (agppa.dll variant)
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I've also seen: cmttq.dll and blabla.dll
     
  5. timasmith

    timasmith Private E-2

    For the record, it seems to also cause IE to crash when the user tried to go to Trend Micro and run scan. I've been working on it for a full day now it's driving me, like everyone else crazy!
     
  6. jrf77

    jrf77 Private E-2

    so what is the best fix guys? Here is my log

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\system32\mshq.exe
    C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\d3ru32.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\SealedMedia\sealmon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Ross\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rigxz.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rigxz.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rigxz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rigxz.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rigxz.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rigxz.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SAS.SE1.ATTBB.NET:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.SE1.ATTBB.NET;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C726D36D-9BDF-0383-F849-161DD3B7B85F} - C:\WINDOWS\system32\netiq32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [NDplDeamon] winlogin.exe
    O4 - HKLM\..\Run: [ddi] winupdate.exe
    O4 - HKLM\..\Run: [mshq.exe] C:\WINDOWS\system32\mshq.exe
    O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
    O4 - HKLM\..\RunOnce: [d3ru32.exe] C:\WINDOWS\system32\d3ru32.exe
    O4 - HKLM\..\RunOnce: [crlx32.exe] C:\WINDOWS\crlx32.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  7. jnick

    jnick Private E-2

    I would also like to know how to get rid of this thing. I had it for a mere 5 minutes, and it's pissing me off! I have the bzxlc.dll variant. Any suggestions (though I posted a thread about it)

    Jnick
     
  8. mbenzy

    mbenzy Private E-2

    regards to all chasing down this problem. Been at it all day, myself with little luck.

    here's my variant: flvku.dll

    and my Hijack log.

    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
    C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\ag\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://flvku.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://flvku.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://flvku.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {9CF55B4C-92A9-FCA0-F3F7-8F235449A8F8} - C:\WINDOWS\system32\netqr.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [mspo.exe] C:\WINDOWS\mspo.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [bascstray] BascsTray.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
    O4 - HKLM\..\RunOnce: [syskw.exe] C:\WINDOWS\system32\syskw.exe
    O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINDOWS\sdkop.exe
    O4 - HKLM\..\RunOnce: [apiew.exe] C:\WINDOWS\system32\apiew.exe
    O4 - HKLM\..\RunOnce: [windy32.exe] C:\WINDOWS\windy32.exe
    O4 - HKLM\..\RunOnce: [msmr.exe] C:\WINDOWS\msmr.exe
    O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
    O4 - HKLM\..\RunOnce: [msdu32.exe] C:\WINDOWS\msdu32.exe
    O4 - HKLM\..\RunOnce: [appba32.exe] C:\WINDOWS\appba32.exe
    O4 - HKLM\..\RunOnce: [mswe.exe] C:\WINDOWS\system32\mswe.exe
    O4 - HKLM\..\RunOnce: [iebx32.exe] C:\WINDOWS\system32\iebx32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PGPtray.lnk = ?
    O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Updated list (holy crap this thing keeps changing):

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll

    Items in Uninstall List:
    Home Search Assistent

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations):
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#****", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Hides itself when in safemode (agppa.dll variant).
    Hey, Major Attitude, can you make this a sticky?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi DarkAngel,

    Your right it constantly changes and if you delete the items using HijaakThis the come back again with new names. By the way you left out two new name from the HijaakThis logs people posted here. I think we are going to find that tracking those file names may be a waste of time. They are going to constantly change. Everyone can post likely recognize the problem just by the syntax seen in the HijaakThis R0 & R1 sections ("res://*****.dll/index.html#****")

    HEY EVERYONE STOP POSTING HIJAAK THIS LOGS HERE! THAT IS NOT WHAT THIS THREAD WAS MEANT FOR. Sorry about the shouting! Just post symptom information and the offending DLL info.
     
  11. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Well, my variant just mutated only 4 days after infection. Here's the new list:

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll
    jqnuw.dll New (My mutated variant)
    flvku.dll New
    rigxz.dll New
    ozlrz.dll New
    teivy.dll New

    Items in Uninstall List:
    Home Search Assistent

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations):
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#****", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Hides itself when in safemode (agppa.dll variant).
    Hey, Major Attitude, can you make this a sticky?
     
  12. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Good Lord! It just mutated on my computer within the past 10 minutes! GAHH IT DID IT AGAIN!!!

    Here's the new list:

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll
    jqnuw.dll
    flvku.dll
    rigxz.dll
    ozlrz.dll
    teivy.dll
    nvjku.dll New
    gzxdc.dll New
    atlgd.dll New
    msopt.dll New


    Items in Uninstall List:
    Home Search Assistent

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations):
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#****", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Hides itself when in safemode (agppa.dll variant).
    Hey, Major Attitude, can you make this a sticky?[/QUOTE]
     
  13. At Large

    At Large Private E-2

    I'lve got this hijack too...my variant is called "pnskb.dll" Biggest pain I've ever had!!
     
  14. At Large

    At Large Private E-2

    Also, in addition to the "Home Search Assistent" there is another program called "Shopping Wizzard" which I think is also linked to the 'Only The Best' virus....it causes re-directs to http://looking-for.cc
     
  15. jnick

    jnick Private E-2

  16. Mocha420

    Mocha420 Private E-2

    Yeah I'm trying to figure out how to solve this problem myself, so far Im just about to format my computer and chuck out the window, but I wanna play around with it and try to fix it, I already tried to re-encode the dll files but they just seem to re-encode themselves as time goes by and duplicate in your windows directory, whoever came up with this is a total F*##*&#$, with that said, there's also teivy.dll and ozlrz.dll, and please shorten your "hijackthis" logs, i understand why the forum admins have that rule posted up, ITS ANNOYING, thank you. G'luck to everyone who is trying to figure out a way to solve this.
     
  17. Mocha420

    Mocha420 Private E-2

    *i cant seem to edit my post*

    One more quick thing, I just noticed that whenever I search google or msn... The site that pops up has the SAME first link, its a spyware adware program *which i think is also a virus*

    Other then that, is everyone elses key(digits) at the end of "res://*****.dll/index.html#****" the same?
     
  18. jnick

    jnick Private E-2

    Yes . . . But why format? I'm sure there will be a fix sooner or later . . . Lavasoft is already working on one, I think . . . At least people are talking about it in the forums.

    P.s. Has anyone tried anything in Start > Run > regedit ?? I was in there before, I searched my version (bvlsb) and stuff came up, I just don't know what I'm supposed to do from there . . .
     
  19. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    The stuff that come up is most likely the registry keys about your homepage. Whatever this thing is, it seems to overwrite them.

    Sweet Jesus, it mutated on my computer again...but now it won't even load a webpage! It justtried to load that .dll without it even being present.
     
  20. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Another hour, another list of mutations:

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll
    jqnuw.dll
    flvku.dll
    rigxz.dll
    ozlrz.dll
    teivy.dll
    nvjku.dll
    gzxdc.dll
    atlgd.dll
    msopt.dll
    pnskb.dll New
    fbshz.dll New
    npsfi.dll New


    Items in Uninstall List:
    Home Search Assistent
    Shopping Wizzard (?) New

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations): (New Discoveries)
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#96676", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. The .dll file also mutates, renaming itself to aviod anti-spyware scans. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Prevents RegCleaner from running (?) New
    • Hides itself when in safemode.
     
  21. jnick

    jnick Private E-2

    You're right . . . Damn! How are we gonna kill this thing?

    Count me in on the HomeSearch Busters team - lol. There's gotta be a solution . . .

    BTW, What would you call this? Virus? Trojan, Spyware?? Seems to be an ultimate combination!
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since I do not have the problem, I cannot debug it first hand. So I have a suggestion for you guys that have the problem. First, if you do not already have a firewall program installed, get one (like ZoneAlarmFree or Sygate both available here on MG's) and set it up to show incoming and outgoing indications. Second, item to try that could help us find this piece of crap: Security Task Manager. Download it from http://www.neuber.com/taskmanager/download.html Check it out. Maybe we can find some process running that is suspicious. This is 30 day trial software use it quickly.

    If everyone having the problem can do this, we may find some common program that begins the mutation. I have a feeling something is attached to IE.
     
  23. jnick

    jnick Private E-2

    Awesome.

    I'll get the program now, and see if I can get it to log files.

    I have Nortons Internet Security . . . That should show connections right? Then again this also shows connections

    Run > cmd > netstat -n

    Shows all established and timed out connections. Would that help at all?


    Jnick
     
  24. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Spybot just kicked out some suspicisious discoveries. I've added them below:

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll
    jqnuw.dll
    flvku.dll
    rigxz.dll
    ozlrz.dll
    teivy.dll
    nvjku.dll
    gzxdc.dll
    atlgd.dll
    msopt.dll
    pnskb.dll
    fbshz.dll
    npsfi.dll

    Unknown .exe files related (HK_LM:RunOnce startup command): New
    d3hc32.exe
    d3gw32.exe
    sdkdz.exe

    Items in Uninstall List:
    Home Search Assistent
    Shopping Wizzard (?)

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations): (New Discoveries)
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#96676", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. The .dll file also mutates, renaming itself to aviod anti-spyware scans. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Prevents RegCleaner from running (?)
    • Hides itself when in safemode.
     
  25. ~~ADAM~~

    ~~ADAM~~ Private E-2

    any luck yet guys?

    i also wanted to add another dll:
    bijud.dll
     
  26. jnick

    jnick Private E-2

    Chaslang,

    Ok, I downloaded the program, IOt showed all of the processes. The problem is, when you export it to a .txt it's a total mess. So I copied everything from the exported .txt and brought it to excel. I then pasted the infroamtion. But uploads don't except .xls so I had to zip it. Sop finally, just download the zipped file, and open the excel file, there will be all of the information. iIf that doesn't ework, I'll screenshot it.

    Jnick

    sdkdz.exe
    That's deffinitely in my startup.

    UPDATE: I'm sorry! It's sdkdx.exe - New variation?
     

    Attached Files:

  27. jnick

    jnick Private E-2

    Damn, get ready to add some new .exe:

    sdkfh.exe

    CORRECTION:

    sdkdx.exe is really:

    sdkdx32.dll

    Everyone who wants to help, PLEASE download that program chaslang said - it seems to show EVERYTHING. We may be able to stop this thing.
     
  28. jnick

    jnick Private E-2

    Chaslang: It shows sdkdx32.dll as 82% dangerous - Should I try to remove that from my system, alongwith other similar looking files or .exe listed, and see what happens?

    Jnick
     
  29. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    **ALERT**Recent discoveries have concluded that this file is using the system32 directory as a base of operations. Be on the look out for .exe's and .dll's without any form of version identification dated on or after April 1st, 2004.

    chaslang, can you look in your healthy comp for these files? if they're not there, then we may be on to something...

    DLL / Hijack Variants (begins with res://):
    agppa.dll
    orugt.dll
    bzxlc.dll
    mshp.dll
    idvxj.dll
    fkxmn.dll
    mptst.dll
    bxxs5.dll
    bvlsb.dll
    rigxz.dll
    cmttq.dll
    blabla.dll
    jqnuw.dll
    flvku.dll
    rigxz.dll
    ozlrz.dll
    teivy.dll
    nvjku.dll
    gzxdc.dll
    atlgd.dll
    msopt.dll
    pnskb.dll
    fbshz.dll
    npsfi.dll
    bijud.dll

    Unidentified/Unknown .exe/.dat/.dll in System32 directory: (Note: Do NOT delete these files until their true nature can be found)
    d3hc32.exe
    d3gw32.exe
    sdkdz.exe
    sdkdx.exe (variant?)
    crxw.exe
    mfcts32.exe
    winra.exe
    ntkr32.dll
    ctvji.dat
    qheyh.dat

    Items in Uninstall List:
    Home Search Assistent
    Shopping Wizzard (?)

    Popup Windows associated:
    Only the best

    Programs Affected:
    Internet Explorer
    Microsoft Office 2003 Professional
    Norton Internet Security 2004

    How this thing works (speculations): (New Discoveries)
    Once it "installs" itself onto the computer, it proceeds to hijack the user's homepage and reset it to "res://*****.dll/index.html#96676", insert a registry key that prevents re-writes, and backs itself up in order to avoid deletion. The .dll file also mutates, renaming itself to aviod anti-spyware scans. It also installs the "Home Search Assistent" into the Add/Remove programs list, which is a dummy file that forces the user to be re-directed to a Russian porn site if an uninstall is attempted.

    Noticed effects:
    • Office 2003 program installer/configurator is activated upon any new window popup, be it Internet Explorer or even a Windows Explorer window.
    • Homepage is hijacked upon restart / IE window close.
    • "Only the best" popup window apepars while browsing.
    • New search window is opened when a google or msn search is attempted.
    • "Unable to load page" standard in windows is replaced with a custom one.
    • Each new window, or page section's performance reduced signifigantly.
    • Norton AntiVirus 2004 Auto-Protect crashes if a SpyBot search is attempted.
    • NAV2004 Auto-Protect crashes randomly.
    • NAV2004 encounters a 1002,2 error (related to wintrust.dll).
    • Norton Internet Security 2004 has occasional component failures either during standard Windows operation, or upon restart.
    • Evades Adaware, Spybot S&D, and CWShredder scans if run for a second time.
    • Trend Micro, Panda Scan (or whatever), and other online antiviral scanners crash Internet Explorer during scan.
    • Creates bogus registry keys.
    • Prevents RegCleaner from running (?)
    • Hides itself when in safemode.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For now I would just try renaming or moving the files so that you could put them back if they wind up being something required by your system. Make sure your keep track of old and new names. Something like sdkdx32.dll to sdkdx32dll.bad should be easy enough to figure out. The problem is that this may have to done in safe mode. Things to check for that may indicated problem files that are bad:

    1) same date and time stamp of files (could be current date & time but may not be)
    2) check properties on the EXEs and DLLs by right click on them and check company information. Most baddies may not even have a version tab in the properties window. This should trigger suspicion but does not 100% mean it is a baddie.
    3) in the Security Task Manager watch what processes are spawned when you open IE
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    DarkAngel,

    Everyone has different OSs so you cannot always be sure about which DLLs are needed. Right now I'm at work and on a Win2K PC. One dll I saw right away that is a typical pickup in HijaakThis logs is the bxxs5.dll. This is the BookedSpace BHO see: http://www.pestpatrol.com/pestinfo/b/bookedspace.asp#Detection%20and%20Removal

    Most of the other ones I have seen in all the messages about Only the Best problems.
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  33. jnick

    jnick Private E-2

    I think I may have stumbled upon something here.

    I searched (manually) my system32 foler, and any .exe and .dll I KNEW were associated with this HomeSearch agent, I QUARANTINE with NAV2003. 2 .exe wouldn't quarantine, so I MOVED them to my documents, and out of system32. I have a total of 9 files in quarantine, and 2 in my documents.

    Now, my HomeSearch Agent thingy has changed its "url". The dll before was bvslb and now it's like hdhct. So my guess is, it installs MANY copies of itself. As they go one by one, it uses another version. My guess is, we have to MANUALLY take out these files out of system32 WITHOUT opening up IE until your system32 folder LOOKS clean.

    Also, with these 2 .exe files in my documents, could they still execute them selves? I can't even delte it, and keep it in the recycle bin - it won't let me.
     
  34. SDSilverA4

    SDSilverA4 Private E-2

    Hi all, I think I've got one of these variations as well. I have SpywareGuard installed and it is constantly telling me about BHO's or other IE things being changed. I'm not sure if this is another symptom or not. With filenames, etc. I have already seen dozens of mutations of some of these DLL's like d3*.dll
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    jnick,

    Remember earlier I said, "The problem is that this may have to done in safe mode."

    In order to delete these files, or rename them, or move them you may need to be in safe mode.

    My guess on this problem is that the more we delete and rename, the more we are going to wind up with. We need to find the source DLL or EXE. Also, I believe the registry is possible being fill with this crap too. Another useful application everyone with this problem should be using while debugging is:

    http://www.sysinternals.com/ntw2k/source/regmon.shtml

    works on Windows NT/2000/XP/2003 and Windows 95/98/Me
     
  36. jnick

    jnick Private E-2

    Ok, but that's just a monitoring program . . . wouldn't we need some kind of Registry Cleaner? Or should I say, do you think one will help?

    I also agree . . . I think the registry IS where the source is.
     
  37. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    HOUSTON, WE HAVE A NAME!!!

    I just ran a scan of my system32 folder using NAV2004 and here's what it kicked out (based on the files listed in previous posts):

    Adware.Iefeats
    Adware.Winshow

    I'm going to try it again in safe mode so I can delete them. Wish me luck...
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you looked at that thread I named awhile back (http://www.majorgeeks.com/vb/showthread.php?t=34786) that I was working with Andy R
    on you'll see I gave those two names a couple days ago. They did not work in either case.
    That is neither program was seen in Add\Remove programs.
     
  39. jnick

    jnick Private E-2

    Please let me know.

    Also, after quarantining some of the .dll file, which were located in the main windows folders (the name varients I.E. bvslb.dll). I quarantined the halag.dll, which my browser opens to, but since it's quarantined, I just get page cannot be displayed now, instead of home search.

    I was also thinking, if this doesn't work, wouldn't reinstalling/repairing windows do the trick. It reinstalls the whole windows folder . . . but doesn't touch any programs/applications.

    Jnick
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may as well just format and re-install everything. You would loose the ability to run all non-MS Windows installed apps anyway (not there data) but the fact they they were even installed would be missing from the registry and file associations etc all lost.
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hey guys check this thread out: http://www.majorgeeks.com/vb/showthread.php?t=35002

    Andy R is back on line and the things we were working on the other day (night) are working out for him thus far. All you guys with this problem, give it a try a post back success or fail.
     
  42. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    Yeah, I tried the "safemode delete" method, but that didn't work. I tried Andy's method, and it didn't work; it just mutated again...

    Stupid persistent little bugger...
     
  43. jnick

    jnick Private E-2

    What to do, What to do . . .


    Format . . .?
     
  44. Mocha420

    Mocha420 Private E-2

    I just figured out that it has a exe file named "scvhost.exe" maybe that might help all of you.
     
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If running WinME or XP, first disable system restore, then try the safe mode deletion and Andy's method.
     
  46. Mocha420

    Mocha420 Private E-2

    Okay I think im getting somewhere with all this with all your help, What i did was i Turned off system restore, after that i went into safe mode, opened up hijackthis, and took out whatever looked fishy to me, after that i turned on security task manager and looked for anything that was fishy, because in safe mode there shouldnt be alot of stuff open besides the basic. After that I went into the system32 folder in windows\ and then I manually deleted w/e .exe file had recently been added, and i did the same for any dll or exe file in windows directory. I Know its not really a "SAFE" way to do that, but eh it was worth a try because I'm ready to format any minute now. And so far no pop ups and my IE is running WAY smoother and also no stupid search engines, lets see how this turns out and I'll update ASAP. G'luck to everyone else.
     
  47. jnick

    jnick Private E-2

    I have a similar "fix" I'm going to try now.

    If it works, I'll post up, step-by-step what I did to fix it . . . cross your fingers . . .
     
  48. DarkAngel_ZERO

    DarkAngel_ZERO Private E-2

    I have sys restore off by default because of an earlier bug (Norton told me to do it). Good news though: the Process Explorer uncovered some more .exe goodness. here's what I've determined:

    ntkr32.dll is a function of IEXPLORE.exe when IE is opened after restart, yet it isn't a Microsoft file.

    ippo.exe is a branch extention to IEXPLORE.exe when IE is double clicked while a browser window is open. it procedes to open 2 more branches with two more bogus .exe files. ippo.exe then becomes a system process outside of all trees, along with winra.exe

    Jesus...this thing needs to be shot.
     
  49. jnick

    jnick Private E-2

    Solution

    I have found a SOLUTION!

    - Start the machine in safe mode

    - Delete the corresponding DLL to the one that is in your URL res://***** (along with others which you KNOW are bad)

    - Open HiJack This and get rid of everything which does not belong, or ANYTHING which looks suspicious. To make sure, check out LIUtilities.com. Click their Professional version. In here they will show the list of common running applications, and processes.

    - Run CWShredder to be on the Safe Side

    - Run Security Task Manager

    - Run Adaware or SpyBot S&D

    - Manually search The system32 folder for more DLL, EXE, or DAT (arrange by modified - easiest way)

    - Do the same thing except just in the Windows folder (I found some there too!)

    - Go to Start > Run > regedit > Open HKEY_LOCAL_MACHINE\ SOFTWARE \ Microsoft\ Windows\ CurrentVersion \ Uninstall. Click the [+] next to uninstall. Scroll down until you see the NAMES of programs, not the numbers in {,}. Find:

    HSA = Home Search Agent
    SA = Search Assistant
    SW = Shopping Wizzard

    To double check, on the left pane, is will say what they are. Highlight one at a time, and hit your delete key. Once you delete all three, you may exit.


    - Remap your homepage to the appropriate place.

    - Clearing Cookies, Files, and history will help to be extra safe.

    - To double check, if you want, run ANY of the programs we previously ran (HJT, Security Task Manager, or Adaware/SBS&D

    - Restart the computer in normal mode.

    - Run HJT and Security Tadk Manager to make sure nothing else spawned (you may find 1 or 2). If so, delete them.

    - Open IE and give it a shot. After IE is opened, bring up HJT again, to make sure nothing was triggered by the start of IE. If so delete it, if not - CONGRATULATIONS.

    This worked for me. I have yet to have a popup, my home page worked, Home Search Agent is gone, along with Shopping wizzard, and Search Assistant. The only thing I STILL get is on initiation of IE, It still asks for the CD to install Microsoft Office XP Professional. Maybe I will just uninstall it and reinstall it to see how it goes.

    Though, I'm not sure if this TOTALLY vanishes it from one's sytem. There is no trace of it yet, but hey, it's sutible until someone comes out with a fix for it.

    (Thanks to EmTrix from spywareinfo for some of the methods.)

    Thank you and Good Luck all.

    Jnick
     
  50. SDSilverA4

    SDSilverA4 Private E-2

    JNicks, first of all thanks for your help and diligence in this (along with everyone else who's trying to get rid of this crap).

    I tried out what you suggested and it didn't work--I think I wasn't able to remove all the DLL's. What is the best way to compile a list of the files I will need to delete because everyone's machines seem to have different file names now....
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds