Only The Best, Help Please?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mocha420, Jun 17, 2004.

  1. Mocha420

    Mocha420 Private E-2

    Windows XP, 1.1 GHz, 512MB DDR.

    I know a decent amount about computers, and internet browsing, yet still I cant figure to solve this on my own. Somehow this THING got on my computer which was first "teivy.dll" it kept opening as my homepage. Also whenever I wrote a website down, without the "www." it would say ERROR COULD NOT FIND WEBSITE and its pretty much annoying when you cant just go to yahoo.com and you have to write out the whole thing, but other then that, it has pretty much slowed down my computer a decent amount whenever I open up IE, it also has a "pop-up" labeled ONLY THE BEST but im pretty sure its a program, because of the .exe. "res://ozlrz.dll/index.html" is the link it keeps putting up as my homepage. I have tried to manually and using program delete this annoyance, but so far im a failure at it. I tried to use Adaware + Regedit + Hijackthis to figure out where the actual problem is, and I still can't. Everytime i deleted or re-encoded the teivy.dll file found in C:\windows, (I re-encoded it so that it would open up www.google.com), it would turn out to re-encode or duplicate itself, often other times it would come out with a new name. Thank you in advance for attempting to help.

    (Remember, It'll keep duplicate itself or install using a different name if I delete the things below, at first it was teivy.dll, now its ozlrz.dll)

    Logfile of HijackThis v1.97.7
    Scan saved at 1:05:13 AM, on 6/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\addins\ntdll\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\javabi.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sysfz32.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\inetsrv\DavCData.exe
    C:\WINDOWS\System32\cidaemon.exe
    F:\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozlrz.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozlrz.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozlrz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ozlrz.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ozlrz.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ozlrz.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {DE874A46-2072-C592-ECE6-3595C207B596} - C:\WINDOWS\system32\sysfz32.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sysfz32.exe] C:\WINDOWS\system32\sysfz32.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -     http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/244a6aa172dfd01e9e05/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38031.4527314815
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{66749A34-88A0-400B-92F4-3E6A332C07B0}: NameServer = 111.111.111.111,222.222.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E330519C-1437-41C2-B627-D5BACAAA199C}: NameServer = 12.12.12.12,12.12.12.13
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E38A7950-4FCB-4045-9FCB-4B3A3363E534}: NameServer = 12.12.12.12
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EC186A07-8C5A-4D84-9134-6252B84D67F9}: NameServer = 204.60.203.179 66.73.20.40
     
    Mocha420, Jun 17, 2004
    #1
  2. Njal

    Njal Private E-2

    Im assuming you tried deleting all the r1 and r0 entries in hijackthis? If not do so. Also, since its self replicating and changes its name have you run any up to date anti-virus software?

    Nj
     
    Njal, Jun 17, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds