"Only the best" pop up and "res://ycaju.dll/index.html#96676" homepage

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tzedka, Jun 22, 2004.

  1. Tzedka

    Tzedka Private E-2

    Please somebody help me *OR* kill me so the suffering ends ! I've got the usual homepage problem coupled with the only the best pop up. I think it's slowing my computer. I hope someone can help me on this one here's the hijackthis logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 00:22:02, on 2004-06-22
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\winpc32.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\syssp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\explorer.exe
    D:\Imesh-Light\Client\iMeshClient.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\PropriƩtaire\Bureau\Spyware Removal\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ycaju.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycaju.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycaju.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ycaju.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ycaju.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ycaju.dll/sp.html#96676
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {19C15D9B-ED76-52EE-036B-5591AF55B4A5} - C:\WINDOWS\mfccl32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [syssp.exe] C:\WINDOWS\system32\syssp.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [winpc32.exe] C:\WINDOWS\winpc32.exe
    O4 - HKLM\..\RunOnce: [ntwx.exe] C:\WINDOWS\ntwx.exe
    O4 - HKLM\..\RunOnce: [msby.exe] C:\WINDOWS\msby.exe
    O4 - HKLM\..\RunOnce: [atldz.exe] C:\WINDOWS\atldz.exe
    O4 - HKLM\..\RunOnce: [atlbz.exe] C:\WINDOWS\atlbz.exe
    O4 - HKLM\..\RunOnce: [iprg.exe] C:\WINDOWS\system32\iprg.exe
    O4 - HKLM\..\RunOnce: [sysak.exe] C:\WINDOWS\sysak.exe
    O4 - HKLM\..\RunOnce: [atlqs32.exe] C:\WINDOWS\atlqs32.exe
    O4 - HKLM\..\RunOnce: [crxm.exe] C:\WINDOWS\crxm.exe
    O4 - HKLM\..\RunOnce: [mfcbp32.exe] C:\WINDOWS\system32\mfcbp32.exe
    O4 - HKLM\..\RunOnce: [appdp32.exe] C:\WINDOWS\system32\appdp32.exe
    O4 - HKLM\..\RunOnce: [netrd32.exe] C:\WINDOWS\netrd32.exe
    O4 - HKLM\..\RunOnce: [msfs32.exe] C:\WINDOWS\system32\msfs32.exe
    O4 - HKLM\..\RunOnce: [sdkvi.exe] C:\WINDOWS\sdkvi.exe
    O4 - HKLM\..\RunOnce: [sdkxl32.exe] C:\WINDOWS\sdkxl32.exe
    O4 - HKLM\..\RunOnce: [sysah32.exe] C:\WINDOWS\sysah32.exe
    O4 - HKLM\..\RunOnce: [netpe32.exe] C:\WINDOWS\system32\netpe32.exe
    O4 - HKLM\..\RunOnce: [ntaw.exe] C:\WINDOWS\system32\ntaw.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Recherche (HKLM)
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    I tried to remove all the ycaju.dll both with spyware remover programs (Adaware 6.0, Hijackthis, CWShredder and Spybot S&D.) and manually. Sounds like the spyware got me 'cause it came back running at me !

    Thanks everybody !
    Tzedka
     
    Tzedka, Jun 22, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I really don't think this simple approach will work but some people say it does. So let's give it a try and we will know for sure one way or another:

    Open the C:\WINDOWS\system32\ycaju.dll you get hijacked to in Notepad
    Select all content (Ctrl-A) and delete it
    Save the file and exit Notepad
    Find the file in Explorer, right-click it, select Properties, put a checkmark in 'Read-Only' and click OK.
    If you can't find the C:\WINDOWS\system32\ycaju.dll file, make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools", "Folder Options", "View" and be sure to check off "Show Hidden Files and Folders".

    That's the simple version. Test it and get back to me.
     
    chaslang, Jun 22, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Its not a pretty way of doing it, but it cant get much worse. I just dont know why Ad-Aware has not updated, I know Merjin, the creator of CWShredder has been busy with graduation and stuff and Spybot... well, who knows when they will update again. Its a rough time.
     
    Major Attitude, Jun 22, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hey, if it works it works. I figure give it a try and see what happens. But with all those EXEs I'm seeing in the HijaakThis log, I don't think it will.


    I say we all get out our shotguns and go hunting for the bastards that created this.:mad:
     
    chaslang, Jun 22, 2004
    #4
  5. Tzedka

    Tzedka Private E-2

    I didn't find any ycaju.dll file in explorer there was only one in the C:\WINDOWS\system32. And even after deleting all the content of the file the only thing it did is that I still get the res://ycaju.dll/index.html#96676" homepage but the page is blank (Cannot find the page msg). It was a nice try but it doesn't seem to work for this variant of the spyware.

    Thanks again,
    Tzedka
     
    Tzedka, Jun 22, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thats were I told you the file was (in the C:\WINDOWS\system32\ycaju.dll )

    Try setting you homepage to something, like www.majorgeeks.com and see if it works and stays that way. You may have to see what happens after a reboot.
     
    chaslang, Jun 22, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh! I think I see where you got confused. In Explorer does not mean it is running or located in explorer, it means in the Explorer window find the file in the list. In other words, using Explorer, find the file.
     
    chaslang, Jun 22, 2004
    #7
  8. Tzedka

    Tzedka Private E-2

    Been there, done that, doesn't work...

    Sorry, thought I needed to find it in the Internet Explorer folder too.

    One more time: thanks
    Tzedka
     
    Tzedka, Jun 22, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, as I thought. That method does not work at least not for all cases. See if you can following the stuff in this thread: http://www.majorgeeks.com/vb/showthread.php?t=35165 I have had success with the basic procedures in here on about 4 to 5 systems already. If you need more help or have trouble following it get back to me. Don't forget it was a back and forth trial and error procedure because no single step by step approach has work yet for anyone. So it does seem to get repetitive sometimes because this crapware keeps mutating and spawning more processes. You part of the procedure done (the erasing of the DLL) . One step missing from that thread that could be very useful is to disconnect from the internet completely while working on this. It seems to prevent some of the mutation.
     
    chaslang, Jun 22, 2004
    #9
  10. Tzedka

    Tzedka Private E-2

    Did all the things you said to solve svengali34 problem. I had to delete some variant of the files you mentionned but I think I did fine cause I don't have crap all over my comp now. Just for you to now, I had to delete SE (Search Extender) instead of SA (Search Agent) in the registery. I figured I was a variant crap file due to its name.

    You're really a lifesaver for many of us Chaslang. I really did not want to format my HD...

    Thanks for your help.
    Tzedka
     
    Tzedka, Jun 22, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Tzedka,

    Thanks for the kind words and the update. Good job on working it out. Glad I can help. ;)

    Chas
     
    chaslang, Jun 23, 2004
    #11
  12. Executivej

    Executivej Private E-2

    Hi Chas. YOu seem to be the man around here, i only came across this site because i was so freakin frustrated with this "only the best problem". The problem is, i am not the most computer literate guy around here and i trieds to follow your instructions in the other thread but have two many problems:

    #1: my IE goes to this site: res://jjqjo.dll/index.html#22776 so i assume my dll file is jjqjo but i cannot find it on my pc (and i changed my hidden files settings like you said)

    #2: i don't see the sysup32.exe either

    I know a lot of what i'd have to do will probably mirror what you already stated here but i was wondering if you'd be kind enough to help walk me through what you think i need to do to remove this from my pc. I tried Bazooka, Adware 6.0 and nothing helps!

    I'm sorry if i'd be asking you to repeat yourself, i just don't know what to do anymore.

    thanks kindly.

    Jason
     
    Executivej, Jul 5, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Jason,

    I caught you in the other thread. Do not double post questions/issues! Also begin your own threads for your issues. You can always reference a thread that you believe your problem is similar to.
     
    chaslang, Jul 5, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds