"Only the Best" Pop-Ups & Homepage (Diff version?)

Hey guys,

I'm a pretty smart web surfer, and have a lot of protection. Nortons Internet Security, Nortons AntiVirus, Adaware, and Pop Up Stopper Pro. I clicked on a stupid link for an Unreal Video and BAM. I now get "Only the best" pop ups and my home page ALWAYS goes to:

"res://bvlsb.dll/index.html#96676" (Don't go here!!)

Can someone be kind enough and guide me through the steps needed to be taken to get rid of this? Where should I start? I need that Hijack This program right? I'll get it now, and post my logs. Please help - This is a pretty new computer I'm on, and would hate to format.

Oh and also, everytime I launch IE, Windows Office XP Professional installer pops up . . . I always cancel it out though. This spyware also delted my pop up stopper pro!

Thank you in advance.

Jnick

 

I hate to sound like a total newb, as I'm not, though in this field I am since I never usually get attaacked like this, but where can I get this "Hijack This"?

Sorry for the inconvience.

Jnick

 

Once again, sorry for the triple posts, but my newbish self found it. Preparing to use it now. I'll be back with the log file in a bit.

Jnick

 

Logfile of HijackThis v1.97.7
Scan saved at 11:23:41 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ntzn32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Valve\Steam\Steam.exe
C:\WINDOWS\system32\sdkfh.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvlsb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvlsb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bvlsb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D408CA02-757E-8C7E-C5C1-63DA44B1D61A} - C:\WINDOWS\system32\sdkdx32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [sdkfh.exe] C:\WINDOWS\system32\sdkfh.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [ntzn32.exe] C:\WINDOWS\system32\ntzn32.exe
O4 - HKLM\..\RunOnce: [javate32.exe] C:\WINDOWS\javate32.exe
O4 - HKLM\..\RunOnce: [netif.exe] C:\WINDOWS\netif.exe
O4 - HKLM\..\RunOnce: [javawr.exe] C:\WINDOWS\system32\javawr.exe
O4 - HKLM\..\RunOnce: [winnk.exe] C:\WINDOWS\winnk.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\crpw32.exe
O4 - HKLM\..\RunOnce: [ipsx.exe] C:\WINDOWS\system32\ipsx.exe
O4 - HKLM\..\RunOnce: [sdkhn32.exe] C:\WINDOWS\system32\sdkhn32.exe
O4 - HKLM\..\RunOnce: [mfcqu32.exe] C:\WINDOWS\system32\mfcqu32.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2711ea57c79f859d8c22/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.7400578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

There it is . . . Hopefully someone can help.

Thank you in advance.

Jnick

 

Like I said, I know how to scan for viruses, and spyware and all of that stuff. I have just never been hit like this before!

The only reason I posted a thread is because I read the others and saw that SOMETIMES people were able to fix it.

If anything new pops up, please inform me .

Jnick

P.S. I see what you mean. I closed more programs, and I'm generating a new hijack log. Thank you for the help.

Jnick

 

Yeah, I have fixed mine. I don't know if the messenger is the cause of all of this, but I think the part that helped the most was using Process Explorer. If you refer to some of the latest posts in the thread we had running earlier (about 50 some posts in it) there is a link to where you can download this. You will have to start this program up and have it running. Then run hijack this and remove these entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvlsb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvlsb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bvlsb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bvlsb.dll/sp.html#96676
O2 - BHO: (no name) - {D408CA02-757E-8C7E-C5C1-63DA44B1D61A} - C:\WINDOWS\system32\sdkdx32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\RunOnce: [ntzn32.exe] C:\WINDOWS\system32\ntzn32.exe
O4 - HKLM\..\RunOnce: [javate32.exe] C:\WINDOWS\javate32.exe
O4 - HKLM\..\RunOnce: [netif.exe] C:\WINDOWS\netif.exe <---- not sure about this, check on its validity
O4 - HKLM\..\RunOnce: [javawr.exe] C:\WINDOWS\system32\javawr.exe
O4 - HKLM\..\RunOnce: [winnk.exe] C:\WINDOWS\winnk.exe <---- not sure about this, check on its validity
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\crpw32.exe
O4 - HKLM\..\RunOnce: [ipsx.exe] C:\WINDOWS\system32\ipsx.exe <---- not sure about this, check on its validity
O4 - HKLM\..\RunOnce: [sdkhn32.exe] C:\WINDOWS\system32\sdkhn32.exe
O4 - HKLM\..\RunOnce: [mfcqu32.exe] C:\WINDOWS\system32\mfcqu32.exe

Make sure all IE browsers are closed when you run it.

Once you remove these, open up IE (should be :Blank or something in address bar) Try browsing around, while watching your Process explorer for processes that start up and stop quickly. Jot these names down. Some program is spawning these new problems. For me it was a MSMSGS.exe messenger program running under a SVCHOST .exe generic host process.

My problems are all gone, but i still have a realsched.exe that i'm suspicious to. It ran a realevent.exe around the same time the problem comes back. I'm not familiar with the RealNetworks Scheduler, so I can't be for sure.