Hijacked browser when bad URL is typed

Basically, we have a procedure. We ask people to do our tutorial, it helps most:

http://forums.majorgeeks.com/showthread.php?t=35407

Then return if symptoms persist and let us know what they are, at that point we may ask for a log file.

 

Alright, then toss me a log file, will look at it as soon as I can.

 

This step is only necessary if you have the about:blank or home search hijack. Which it does not sound like you have from what you said thus far. Also I would expect that it does not matter what language your OS is in. I would expect that the hijackers always say the same thing. But I cannot be positive of that since I never saw a system where the OS is for another language.

Questions:
1) when we say use "services.msc" what do you use to get the service window to come up.
2) Windows has a valid service name RpcSs which is Remote Procedure Call (RPC). What is this in your OS? I would expect the same filenames. The path to executable is: C:\WINDOWS\system32\svchost -k rpcss. (AGAIN NOTE THIS IS NOT A BAD PROCESS. I'M NOT SAYING TO SHUT IT DOWN. I'm just trying to learn if the services are actually listed differently in your system.

 

Thanks for the German lesson Tristan. By the way in the future please attach HijackThis logs to your message. See how I have changed yours.

Also you need to extract HijackThis from the ZIP file and put it into its own directory as indicated in the HijackThis tutorial. You will not get any backups the way you are running it.

 

Make sure you have viewing of hidden files enabled and that system restore is disabled.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
sysdpt.exe
dluxde.exe
jhqnmlgz.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F3 - REG:win.ini: run=c:\windows\system32\sysdpt.exe
O2 - BHO: Saristar - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50} - C:\WINDOWS\System32\saristar.dll
O4 - HKLM\..\Run: [DLuxde] c:\program files\dialers\dluxde\dluxde.exe /nocomm
O4 - HKLM\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O4 - HKLM\..\Run: [JHQNMLGZ] c:\windows\system32\jhqnmlgz.exe /install
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [Dlldmt] c:\windows\system32\dlldmt.exe
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/minidialler/mddl...006_geopro_.exe
O16 - DPF: {D909E944-3A96-4280-9983-9D00001973A4} (Access Control) - http://www.browserplugin.com/plugin...ess_special.ocx

Normally I would boot in safe mode and delete these problem files but for now I'm going to have your just rename some of them (and delete others I'm sure must be deleted) to make sure they are not needed for anything. So boot in safe mode and do what I say for each of the below files. USe Windows Explorer

C:\WINDOWS\System32\saristar.dll <--- delete this one
C:\windows\system32\sysdpt.exe <--- rename to sysdpt.bad
C:\program files\dialers\dluxde\dluxde.exe <--- rename to dluxde.bad
C:\windows\system32\jhqnmlgz.exe <--- rename to jhqnmlgz.bad
c:\windows\system32\unldr16.exe <--- rename to unldr16.bad
c:\windows\system32\dlldmt.exe <--- rename to dlldmt.bad

Now boot in normal mode and post a new HJT log attachment and tell me how things are working.
After a couple days if everything seems okay, I would delete those files we renamed and then enable system restore again.

 

Make sure system restore is disabled and viewing of hidden files is enabled as mentioned in the tutorials.

These two processes running look to be bad to me:
unldrexe.exe
ugjpyezq.exe
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find those processes and End them.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F3 - REG:win.ini: run=c:\windows\system32\unldrexe.exe
O4 - HKLM\..\Run: [UGJPYEZQ] c:\windows\system32\ugjpyezq.exe /install
O4 - HKLM\..\Run: [Unldrexe] c:\windows\system32\unldrexe.exe
O4 - HKCU\..\Run: [Cmt101] c:\windows\system32\cmt101.exe
O4 - HKCU\..\Run: [Unldrexe] c:\windows\system32\unldrexe.exe

Boot in safe mode and delete:
C:\windows\system32\unldrexe.exe
C:\windows\system32\ugjpyezq.exe
c:\windows\system32\cmt101.exe

Reboot normal and post a new log and tell me how things look.

 

Looks like unldrexe.exe mutated to cmx32.exe. We may get a similar result again. There could be something else hiding somewhere.

 

Maybe A2 will pick something up. The items that look like PepeTrojans keep occurring too.

 

Bitte schoen (I don't have an umlout on my keyboard. )

Yes download them and run them. But for A2 you will need to connect to them and give them a valid email address to get a key. It is free. A2 needs to be installed whereas the peperfix.exe file is merely run.

 

Good question Kodo!

Tristan,
Did you have an ATI Video Card in here at one time?

Also, do you know what this line is for or from:
O18 - Filter: text/html - {5E64FD1E-A390-4D8D-BF28-BD115145BCF1} - C:\Dokumente und Einstellungen\John\Lokale Einstellungen\Anwendungsdaten\microsoft\internet explorer\V0.26.dat

 

Note the F3 line is gone. Perhaps A2 also fixed this. But the other trojan has changed names again.
O4 - HKLM\..\Run: [MYZHANLO] c:\windows\system32\myzhanlo.exe /install

Tristan,
I have a feeling these may be changing names at each reboot making each time we tell you to fix something uesless since it will not be there the next time you come back. When you come back see if this process is running:
C:\windows\system32\myzhanlo.exe

If so, end it with Task Manager. FIx the O4 line in HJT with that filename on it. And then try to delete the the file using Windows Explorer.

Earlier you said you had "Show all file" enabled. To me that does not mean the same thing as doing the below:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

 

Do you also have a built in graphics display (in particular Nvidia) on the mother board? The reason we are asking this is that we also so a file in your processes that relates to an Nvidia card. The file is C:\WINDOWS\System32\nvsvc32.exe If you do not have a built-in Nvidia card then this file would have to be suspect as being possible something bad. Try right clicking on it (from Windows Explorer) and select Properties and then the Version tab and go thru the item name list and get version and company info etc.

Did you get the O4 line fixed?

Fix that O18 line too!

 

Tristan,

Ooooh! "Greetings God?"

It does not look like you had HJT fix the below line, please do so:
O18 - Filter: text/html - {5E64FD1E-A390-4D8D-BF28-BD115145BCF1} - C:\Dokumente und Einstellungen\John\Lokale Einstellungen\Anwendungsdaten\microsoft\internet explorer\V0.26.dat

Also fix the below line with HJT:
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab


Please rename the nvsvc32.exe file to nvsvc32.badexe.

Also, go back and delete the file we renamed awhile ago (we ranamed them to .bad files):
C:\windows\system32\sysdpt.exe <--- rename to sysdpt.bad
C:\program files\dialers\dluxde\dluxde.exe <--- rename to dluxde.bad
C:\windows\system32\jhqnmlgz.exe <--- rename to jhqnmlgz.bad
c:\windows\system32\unldr16.exe <--- rename to unldr16.bad
c:\windows\system32\dlldmt.exe <--- rename to dlldmt.bad

Run A2 again a let me know if and what it finds.

For that xghytuyj.exe file please click the Version tab and see what information can be found there by clicking on each of the item name fields.

And do you have an Agere Modem. If so, that will explain the existence of AGRSMMSG.exe;

agrsmmsg.exe is the SoftModem Messaging Applet for your AMR modem.
Author: Agere Systems Inc.
Part Of: AMR modem drivers

 

Tristan,

Did you try clicking on the Elementname: fields (under the version tab) for dvsvbeve.exe to see if anymore info showed?

Kodo and I have been talking about this problem and we have two ideas. One I'm going to have you try now, the other Kodo will leave a message about later. If what I have you do in this message does not work then just move on to Kodo's message (when available).

You have to print this instructions or save them locally to a file because it is very important that you disconnect physically from the Internet (that means unplug the ethernet cable from between your DSL modem and your PC - either end is okay). This way no process that may be hiding in the background can sneak out to get information or download anything while we try to fix the problem. The next important step is that you must shut down all Internet Explorer (IE) sessions before continuing and do not run IE again until I ask yo to do so. Make sure you do not run anything else put what I ask you to run. In other words, basically only run HijackThis and Windows Explorer.

1) Make sure your ethernet cable is disconnected and all IE sessions are closed.
2) run Task Manager and right click on the dvsvbeve.exe process and select end process tree.
3) run HijackThis and have it fix the below line:
O4 - HKLM\..\Run: [DVSVBEVE] c:\windows\system32\dvsvbeve.exe /install
4) see if you can delete c:\windows\system32\dvsvbeve.exe (tell me the results of this step). If it does not delete right now in normal boot mode then boot into safe mode and repeat steps 1 to 4 in safe mode (let me know if this was necessary).
5) After getting the file deleted, imediately get a new HJT log (hjt1.txt).
6) Now reboot again into normal mode and get a second HJT log (hjt2.txt).
7) Now connect your ethernet cable back to your PC.
8) Open one IE session (do not surf anywhere) and then close it.
9) Get another HJT log (hjt3.txt).
10) Now run IE again and come back here and post the 3 HJT logs and tell me how the steps went especially step 4.

 

Guten Tag Tristen! Your up early and I'm up way too late.

Just substitute in the new name. Should be easy enough to recognize now. Let us know how it works out.

 

It looks like we finally go this one fixed! Good job Tristan!

 

You're welcome! And we appreciate the praise!