Browser Hijack, about:blank Search, sp.html, and friends

[Rizon 0]

A little history on my problem of the last few days. Basically my IE homepage has been changed to a search page. Even though it's still shown as my regular start page of about:blank, it still shows the search page. I get bombarded with ad popups if I'm not using a blocker.

 

I've tried the following (all updated versions of each):

 

1) Ran AVG numerous times, been clean all but twice: BackDoor.Agent.BA and Downloader.Swizzor.AH. Noticed Swizzor was coming from C:\ProgramFiles\C2Media. Manually deleted that directory.

2) Ran Adaware, Spybot, NoAdware: All found nothing

3) Cleared with Tracks Eraser Pro, which had cleared off lop.com awhile ago. Nothing.

4) Re-ran Spyware Blaster. Nothing.

5) Noticed Class3SoftwarePublishers keeps re-adding itself into TempIntFiles.

6) Tried System Restore from an earlier safe point, all 3 safe points failed to restore.

7) Checked Startup via MSconfig, running processes, Add/Remove Programs, and saw nothing unusual.

8) Ran CWS Shredder. Nothing.

9) Stopped using IE, which I should have done awhile ago

 

Anyways, here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:07:34 PM, on 7/3/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\RUNSERVICE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\FIREFOX\FIREFOX.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {9C4B1A91-BE9B-48E5-8E33-EC6205F0A2B1} - C:\WINDOWS\SYSTEM\PHKNA.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Encarta Encyclopedia (HKLM)

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)

O9 - Extra button: Define (HKLM)

O9 - Extra 'Tools' menuitem: Define (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: Dell Home (HKCU)

O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c...ymmapi.dll

O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5301388889

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

 

Thanks for any help.

[Rizon 0]

Ok, that seemed too easy?

 

I ran the BHO Demon, and it found two ... Norton and Acrobat Reader helper. I disabled both just to be safe (Don't use Norton anymore, and don't use AR anywhere but work).

 

Anyways, I started up IE and the page was no longer hijacked, instead replaced by Google.com. I changed it back to about:Blank and it looks like it's staying there.

 

I think the offending BHO was PHKNA.dll. I didn't get any hits in Google for it, and after deleting it, it just re-adds itself later.

 

Is this all that needs to be done for now?

 

PS: How do these about:blank hijacks come through, by clicking on a website or manually downloading something infected?

 

PSS: Thanks for your help, Alec.

[felix 0]

Sounds very similar to CoolWebSearch - nasty bastard of a bit of malware.

[Dirty Harry 0]

I 've seen it and removed it with a program called HijackThis, found at http://www.spywareinfo.com/~merijn/index.html

 

Another one I'd recommend is CWSHredder found at http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

H.

[snakefoot 0]

About:Buster by RubbeR DuckY

[UMichiganGuy 0]

I've got this same problem on my system (Win2K Pro) and have been unsuccessful at getting rid of it now for about a month. The program that seems to regenerate a new randomly named .dll in the system32 folder (always 30k in size) is IE. I have run all the same anti-spy programs that are listed here and even when it seems gone, a reboot and subsequent use of IE brings it back to life again. If I catch it early enough, I can manually delete the .dll and the system usually doesn't bog down but having this thing on my system is a serious problem since I don't know WHAT information it is capturing and sending out. If anyone ever finds a solution to this, please let me know. I have had some problems that have caused a lot of aggravation over the years, but this one is beyond my ability to solve. Thanks in advance for any continued information that might come along on this particular bug.

[iLLson 0]

Here is link I found online that shows you how to remove this beast:

 

http://www.securiteam.com/securityreviews/5RP0L0UD5U.html

 

People have said this worked for them, but this has NOT worked for me. I am unable to delete the reg key picked up by reglite, but I am able to remove the DLL file. (Read on to the button to see why this doesn’t work for me).

 

So here are the programs I TRIED to use to remove this malware!

 

-Ad aware 6.0 w. updates

-Spybot w. updates (doesn’t seem like they update anymore though)

-Latest version of cwshedder

-Hijack this

-Spy Sweeper with updates (takes a long time to scan but picks up more stuff than spybot/adaware)

-BHO Demon 2.0 (picks up the randomly generated .dll file

 

None of these programs have helped me remove this nasty spyware..

 

*all done in safe mode btw*

 

-so the spyware creates an sp.html in your local temp folder

-I delete all the temp folders, startup files and reg keys, etc.

-I delete the .dll that is picked up from the BHO Demon 2.0 BUT IT GETS CREATED AGAIN with another file name.

 

So there must be another hidden file (most likely a dll file) that is causing this problem.

 

If anybody has any insight on where to look or want to discuss this further, let me know.

 

Thanks

;(

[justpassinby 0]

just wanted to say because of a search I did on Google, I was able to fix my little "sp.html" problem on one of my Folding@Home servers. You guys are life savers. Thanks.

 

 

[npl 0]

I just solved that problem last night: drive by download, I found the search assistant had been activated. Particulars: problem file was ps.html, put in the temp dir. other problems caused too.

 

I was alerted to an outgoing attempt by ZoneAlarm Pro (the culprit tried to phone home, it was named on-line.exe. When it failed it deleted itself from the downloaded files folder under windows.

 

I did a search for files that had been modified w/in last day, and found in system32 a .dll file named jsjfc.dll (I think that was the name)... I could not delete the .dll (WTFO?) I tried looking for rogue services, but I keep a tight rein on them and found nothing there that was not supposed to be (though I did find an instance of macrovisions C-Dilla, which I also cleaned out!!)

 

Well anyway, I also found I had a permanent search page appearing on IE6 (I use about blank). And NOTHING I did got rid of it.

 

Here's how I fixed it.

 

1) I ran ad-aware, that ID several problems, and I deleted all the items it ID (this unfortunately included some links under all of the "default" favorites folders in IE, including for example "Entertainment." I will be changing all of the default favorite top-folder names this evening...

 

2) I ran regseeker's clean registry tool several times. I also did searches for file commands, etc. I had to go this route because the event viewer showed nothing! Neither did the Services listing.

 

3) I opened XTeqPro and looked at the Internet Explorer sub-links (under the internet heading), and found that a strange BHO that had not been there before (it has NAV and ACROBAT, I cleared the others months ago). XTeqPro will tell you where the BHO is located (instead of having to search for the CLSID). I did that and found the DLL I named above, in the system folder. Ok, now I know the culprit. This one turned out to be the sticker...

 

4) I reran a search in RegSeeker for the DLL name (a GREAT!!! freeware program by the way) and found several instances of the DLL listed in the registry. One of them actually included an unistall line!!! Duh. I opened the registry entry, and copied the uninstall line.

 

5) I opened Run and ran the uninstall line. That "disconneted" the DLL, which I was now able to delete directly in Windows Explorer. I opened IE and found the search page gone.

 

6) I reran regSeeker and deleted every entry with that name from the search window, did the same in the clean registry box.

 

7) I found an odd .tmp file in the system32 folder, named meebooee.tmp or some such, which I moved out of that folder and tried to delete, but I could not!! Hmmm... I changed the name, still could not delete it... Ok. I ran task manager, killed explorer, then reran explorer, then was able to delete the file.

 

8) I ran ZoneAlarm's cleaner, then ran Erase on some files(another great freeware tool); then manuall checked all of the temp dirs on the machine to be sure I had got rid of all cookies and links.

 

9) I logged out and back in, then ran XteqPro, and looked at the BHOs again, and LO!!! I found two more odd ones! The culprit had replanted itself on uninstall (as I had expected). However, I had moved the temp file and deleted it, then I manually searched the registry for the now 3 BHOs listed in XTeq. I found two entries for each BHO, on CLSID and one BHO entry. I deleted them, logged out, and back in, and back into Xteq, and all was gone.

 

10) I ran regseeker clean up one more time, then ran regclean (I use WinXP w/ updates, etc; heavily tweaked, and I find that RegClean STILL does a good job...). It found some stuff wrong, fixed that.

 

11) I restored my favorites from my most recent back-up, and checked everything out. All was still fine this a.m. when I checked again.

 

Note 1: I use ZoneAlarm Pro, NAV, WinXP w/ SP1, lots of tweaks and service disabled, etc. This was the first time I had this happen. Having XteqPro, Ad-Aware, RegSeeker, Eraser, CacheCleaner, RegClean, etc. All helped. I find I use all of these fairly regularly.

 

Note 2: WinXP SP2 is supposed to prevent these kinds of attacks, and that is supposed to be released today I think. Figures. Oh well it was a learning experience. I'd love to sugar the gas tank of the *^%$%$% who planted that seed...

 

Regards,

npl

[Red Dragon NZ 0]

This is a persistent b'tard! But, I managed to resolve this issue on a customers Win98 computer in the following way:

 

I installed Ad-Aware 6, SpywareBlaster 3.2, SpyBot S&D 1.3, updated them all and ran the scans/clean outs - but NONE of them removed this little devil permanently! However, they did help me track it down.

 

1) Spyware Blaster alerted me to the sp.html file being the cause of the about:blank homepage alteration. In the 'Tools' section, it showed the file sp.html as having been inserted as a search page - so I renamed all of these to Google using the 'change' function. (this can also be done in the registry, of course). It also alerted me to the location of the sp.html file in the C:\Windows\Temp folder, so I deleted it from there along with another file that seems to have been generated.

 

2) I re-ran SpyBot S&D and, in Advanced Mode, had a look at the BHO's listed in SpyBots 'Tools' section. There were two there - SpyBot's own SDhelper.dll and another unnamed and unidentified BHO. Clicking on it revealed the file and its location: ilcam.dll located in the C:\Windows\System folder. I deleted the BHO object from within SpyBot

 

3) Of course, trying to delete the source file in Windows was impossible as it was 'in use', so I rebooted into DOS and deleted it using the command line.

 

And then the home page was no longer hijacked 3 seconds after you launched Internet Explorer So far, three days later, the customer has not got back to me so I assume that all is still well.

 

 

I guess that this .dll file may come in various names - but having a search for this particular file may be of help. Also, of course, where sp.html and ilcam.dll may be located in a Windows XP environment may be slightly different, ie in the usernametemp folder and in C:\Windows\System32. But in principle, this method should work.

 

Look forward to some feedback on variations of this BHO as it is the most persistent piece of spyware that I have yet encountered. And all the more irritating as it presents itself as advertising for anti-spyware software! Clearly, its origins are from one of the many bogus anti-spyware software programs that have sprung up of late - if anyone finds out which one, please let me know.

 

Christopher

 

 

http://www.red-dragon.net.nz

[Andicioz 0]

Argh, are you sure that that Backdoor.agent.ba is removed? I think that is the trouble. I searched it on the net and it says Backdoor.Agent.Ba = About.Blank. - Symantec Virus names = not AVG names. Could it be that Trojan.Bookmarker.Gen = Backdoor.Agent.Ba ? If it is i removed Trojan.Bookmarker.Gen like this: 1) Disable System Restore (Windows XP/Me) (right-click on my computer->properties. click on system restore tab and disable it.) 2) Shut down PC and restart it in safe mode. (i thought there is a F-key to do it but i dont know it so i power him of while windows is starting, then next time u start u have the option to do safe mode, Select Safe Mode without any Networking or CMD Prompt) 3) Scan your PC, and Delete it. Then you must delete some Entry's in the registry, look here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.bookmarker.gen.html at my brothers pc i wasn't able to delete it, i formatted his hd and reinstalled xp so.

 

Andicioz-<>-Greetzies

[Andicioz 0]

try about:buster

 

http://www.majorgeeks.com/download4289.html

[linguarum 0]

I found a simple grease monkey solution that worked for me:

 

Using HijackThis, find the HTML file that the browser hijack creates on your hard drive. In my case, it was c:\windows\temp\sp.html. Set that file's properties to Hidden, Read-Only and Archive. (I also deleted all the contents of sp.html file in Notepad and re-saved it, just in case.) Then I ran HijackThis again and 'fixed' the remaining search page items. Now the search pages are all set to "about:Navigation Failure."

 

I hijacked the hijacker! It can't find its page!

 

Then I went into IE and manually reset my home page.

 

Search button doesn't work, but I never used it anyway. At least my home page is back for good.

 

Like I said, a grease monkey solution, but it does work.

 

If nothing else works for you (like it did me), you might try it.

[admiraladz 0]

I have been having some virus issues which it looks like a lot of other people are having. UNfortunately I can't find the thread I asked the Q originally in because I've lost my bookmarks through stupidity so I hope you don't mind me starting again.

 

I open win2k then open Internet Explorer and get a spyware pop-up window and my homepage changed to newsearch.com - from that point if I run Avast! virus I get a virus alert with VBS:Malware[script]. So I deleted my icon for IE and installed Mozilla Firefox, SpywareBlaster and Flowprotector PLus 2.5 (added to my sygate firewall). These programs are identifying the problem, and Firefox is stopping the re-direct, but I'm concerned that as the integrity of my system has been breached that the security of my information is also in question.

 

So here's what happens when I scan on bootup (it doesn't look healthy and I think I need to edit the registry but can someone confirm and advise before I get drastic?)

 

Avast! finds VBS:Malware[script] in C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html

 

Win32:Startpage-006[Trj] in C:\pagefile.sys & C:\WINNIT\System32\mpco.dll

 

Win32:Trojan-gen{other} in C:\WINNIT\System32\notepad.exe.tmp

 

Which it can't clean, but will allow me to delete.

 

 

(here's the log file .......

15/08/2004 10:27

Scan of all local drives

 

File C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html is infected by VBS:Malware [script] - Deleted

File C:\pagefile.sys is infected by Win32:Startpage-006 [Trj] - Deleted

File C:\WINNT\system32\mpco.dll is infected by Win32:Startpage-006 [Trj] - Repair: Error 42060, Repair: Error 42060, Repair: Error 42060, Deleted

File C:\WINNT\system32\notepad.exe.tmp is infected by Win32:Trojan-gen. {Other} - Repair: Error 42060, Deleted

 

Number of searched folders: 2290

Number of tested files: 43409

Number of infected files: 4

.........................................)

 

Then I Boot win2k and Run Spybot & get

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-21-1004336348-606747145-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

which I fix then re-scan and they re-appear immediately without launching or opening anything!

 

As a sneak I have tried to drop an html file into the temp folder and call it sp.html making it read-only as was suggested. I then read about BHODemon 2.0 and installed that - it has located the orphaned registry from the mpco.dll file i deleted in boot and gave this message - "Although this BHO has entries in the Registry, the file itself (C:\WINNT\system32\mpco.dll) cannot be found. Possibly, this is the result of the file geting deleted during an attempt to remove the BHO."

 

So I let BHOD delete it and now only shows up SDHelper.dll which is part of search & destroy.

 

Now when I return to Search & Destroy and scan IT STILL shows me the DSO exploit!! So - time to install HijackThis v.1.97.7 - here's my log

 

Logfile of HijackThis v1.97.7

Scan saved at 11:36:30, on 15/08/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\Sygate\SPF\Smc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\CTsvcCDA.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Creative\ShareDLL\MediaDet.Exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\system32\internat.exe

C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINNT\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\My Documents\installers\spybot\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe

O4 - HKCU\..\Run: [steam] C:\Program Files\Steam\Steam.exe -silent

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Corel Network monitor worker (HKLM)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Corel Network monitor worker (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11dae5ef5ca7b3808d17/netzip/RdxIE601.cab

O16 - DPF: {733A5CA7-C0E1-41D7-9506-F4AA354B4500} (ActiveFormX Control) - file://C:\Program Files\Intelore\AnimatedDesktop\advThemes\WorkDir\7476015\Files\ActiveFormProj1.inf

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.4203009259

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

ANYONE got any suggestions for me? I'm able to browse without the annoying redirect and can now log into hotmail and yahoo mail which it re-directs you out of when the malware is funtioning. But I still don't know if my data is safe.

 

Cheers

 

 

[SeT 0]

I am now fighting this hijacker as well. I've tried pretty much everything listed here. I've got bhodemon blocking cws as gffee.dll. It always regenerates when trying to remove it. The only thing I haven't been able to try is cwshredder because I can't get to spywareinfo - seems to be blocked. I'm stumped. Any help or suggestions would be greatly appreciated.

[Snowman 0]

I had this very same problem for weeks,I tried just about every

thing surggested here,too no avail.

But I might now have the answer.Try going to http://oz.msie.tv

and click the uninstall link,this will download a very small

program.

After I ran this I ran Adaware and it only found 2 of the original 8 remaining registy entries which it was able to delete.

 

I hope this is of some help.

[chuckster65 0]

Wow, that one was a booger. I finally located this site and read through the thread and it made things easier. I messed with my XP system for 3 hours first though.. tried a lot of the things others mentioned above. I ended up booting into safe mode, running adware to remove the sp.html from the registry, and deleted the file. Then I did a search for any dll's created today and found one - mee.dll (random names I see). I deleted it. I then manually searched the registry for, and deleted, all references to the dll and the html file (did not find any more of the html but I wanted to make sure). I did this all while disconnected from the network. I reset my home page and rebooted. I checked the browser and it sayed so I conencted the network and rebooted again. Surfed around a bit and all seems ok. Thanks for the info everyone!!

 

Just a quick note. Someone above mentioned SP2 for XP might stop this. I have SP2, didn't help.

 

 

Chuckster65

[Wattz 0]

Much like the rest of the people who replied here, I have this stupid about:blank Browser Hijacker..

I've had this problem before, or atleast a similar one that gives all the same BS. It was the CoolWeb one or something. However, that problem went away for unknown reasons to me. I personally did nothing to it, someone else may have.

Now this problem is back. Though it's not naming CoolWeb as the culprit.

 

This case however, is more......special. Not only does it hijack my default webpage, that I can live with. But it now also attacks my hotmail account. Or any hotmail account on this machine. I cannot access my email without it hijacking the page. It logs in, loads, you get a glimpse of the inbox and then it goes to the "Search For..." Page with the about:blank in the bar.

 

I've tried several programs including all updated versions of:

Ad-Aware

Spybot - S&D

About Blaster

BHODemon 2.0

 

All of them have failed in removing this problem.. And it's getting really annoying not being able to check emails and worse yet, having family members complain to me about not being able to check emails, even though they all blame me for this problem, when I haven't even been home.

Anyways, if someone can help me, please reply..

 

 

Edit:

 

I fixed my problem...I found a program on a Dutch site that did the trick real good...or atleast I can check email now and its no longer going to about:blank

The program was called SpHjFix...

Bad english but good results... I found it through a google.ca search.

http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

you can find it here.

[Edited by Wattz on 2004-09-04 17:11:43]

 

[iq454 0]

This fixed my home page problem, but I still get pop ups, I'm working on this though. And services in admin tools is turned disabled, so it's not the messenger service for.

 

My system is XP, but maybe others with other OS's can get a picture of what to do. I can give in detail what files and how many are created for XP, maybe thios will help one of you experts out in finding the actual execution file re-creating these dll's.

 

Firstly, open this location for testing and keep it open for this procedure. Keep an eye on the Search Bar or Search Page. It should have the location of our "dll" to delete first.

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

 

In my case the file was "kvypu.dll" (this wil be different for everybody I think).

 

res\\Windows\"kvypu.dll"/sp.html#29126 is what's displayed in the registry.

 

The "dll" might or will differ, but the sp.html should be there, as all of you are talking about it. This should be easy to identify because of the "sp.html#?????" so just look for it and the "dll" will be before it.

 

What I done.

I opened it in notepad to see if I could change anything or find what it was pointing to, to see what was executing the re-creation of the "dll's", but couldn't find anything. Then I tried deleting info from that file, to no avail, "can't overwrite" I then just tried deleting the actual "dll" itself,it worked(as I knew it would, because I knew it would re-create into another file or another file would re-creat another random name) while keeping the registry open to see the changes, surely enough,it was re-created to another random set of letters "dsgat.dll", still the same size though, so all future creations will be easy to indentify if it decides to change name again.

 

res\\Windows\"dsgat.dll"/sp.html#29126 is what's displayed in the registry after you refresh it.

 

Now, I opened it and tried to delete stuff from this file also, to my supprise, it let me make changes this time, so I deleted the path where it finds the server just to see if it would let

me change something,(I don't think modifying it's contents is going to make a difference to the re-creation of it) this is just the link that displays when you open your IE homepage that got hijacked (this is also how I identified the rest of the "dll's" that you will see if you read on) whatever link it takes you to, is what I deleted, I'm not sure if it would make a

difference, I just done it out of curiosity, you don't have to do this though, just check to see if the links in there, to identify it as a "dll" to be deleted.

 

Now, after I deleted the link it was pointing to, and then closed that "dsgat.dll",I had a look at the registry again to see if it changed again, it did get re-create to yet another name

 

"rnozl.dll"

 

res\\"rnozl.dll/sp.html#29126" on the fly.

 

Now, I also done the same for this "dll"(deleted the link it was pointing to), but then, no more on the fly changing in the reg string. I think deleting that first "dll", made these two extra

files in one go or they were always on the pc ready to hijack if that file was deleted, and probably didn't have anything to do with me changing the files or deleting the link it was pointing to, it just probably had only this amount of files or that's how many files the programmer told his spyware to create. Anyway, after that, I was to find antoher 2 that I found only by checking with notepad, because these names weren't getting re-created in the registry like the others did. (sneaky)I also found a "log" file that had the exact same content as all the "dll's". This maybe the file that's creating the random "dll's" if they get deleted, or it's the first file I deleted. Again, the name may differ.

 

So, search for these files on your PC. In my case,

 

kvypu.dll 56kB was write protected, but let me delete it.

dsgat.dll 56kB wasen't write protected

rnozl.dll 56kB wasen't write protected

unqob.dll 56kB wasen't write protected

qoocf.dll 56kB wasen't write protected

wqkmpi.log 56kB wasen't write protected

 

Then go to the Search Bar and Search Page in the registry, right click and modify, replace it with the page of your choice, make sure you empty the recycle bin, Homepage linking defeated.

 

Because these files may be named differently on your guys pc's,(which I'm sure they will be)a way to check is by the file size(they may not be the same size as mine either), so check

like this, again go to the Search Bar or Page In the registry there should be the "dll" we're looking for.

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Bar or Page

 

example: res windows\kvypu,dll/sp.html#29126

 

For me the first one was "kvypu.dll",(might or will differ) simply go to that location, check it's file size, and then order your windows folder to show all files by file size to make them

easier to find. There shouldn't be many legit dll's in ther ethe same size as these, so it should be easy to find them.

 

Then check all the "dll's" that are the same size(random letters and same file size should give it away), check them by opening in notepad just to be sure it's not a legit "dll", and see if the link has anything regarding your homepages forwarding link(the hijackers link), it should be something like

 

http://www.looksearch.com.blahblah - this was mine, it's just the link that your hijacker takes you to when you visit your home page or make a search, this is what we're looking for,

if it is in there, that's a "dll" to delete. Just keep doing that for the rest and delete them all, and stay in the windows folder and keep refreshing and see if anymore get created. And don't forget that log file, it should display the same content as the "dll's", you don't need to use "open with" as it is already a text file, so just click it.

 

If it's the first time you've deleted the "dll" you found at the begining, then it should make a few more on the fly, just keep this registry location open, and it should tell you what the

new "dll's" that get created are, do it one at a time, if it changes, search for it in windows folder, and delete, then check back to the registry to see if it creats another. There should be a total of 6 files, 5 dll's and 1 log file. A couple "dll's" mingt already be on the PC as explained before, so you can either use the registry to identify them, or, you can use the file size and opening in notepad method.

 

If you refresh the registry, it should change to what "dll" is currently in use. And this way we don't have to do guess work or open them up to check in notepad. (maybe I should've said this up earlier, or did I?)

 

Oh heck, I'm tired, give me a break

 

I'll be back to post the popup data and the redirecting issue you still may have, if you ever did have that problem.

Remember, this only fixes the homepage chaniging itself back to the redirected link the spyware has palced on the system. If you have google as your homepage, or you just go to google and you search for something, a few secnods later, it will redirect you, so, this is what I'm trying to solve, if I find anything I'll be back.

[iq454 0]

Okay, I ran BHODemon, it found, cfe32.exe, it fixed it. I reloaded BHODemon, it then changed that file to cfe32.dll, I then deleted it myself, ran it again, then it changed to ntxj32.dll, at this point, I went back into windows folder to find its file size,I found these files also, keoqrv.dat 91kB, ljxgrj.dat 91kB, psstrh.dat 91kB, xdyroe.dat 91kB.

 

SO that would make this new army as follows,

 

ntxj32.dll 91kB

keoqrv.dat 91kB

ljxgrj.dat 91kB

psstrh.dat 91kB

xdyroe.dat 91kB

 

I'm really not sure what's going on, but I do know that BHODemon, is not picking up the main program that's recreating these files, but, do you see the pattern?

After the main exe was found and fixed, it then on the fly, created 5 different files again, renamed and this time, the extention has changed also.

 

I think I figured it out.

 

Each time we delete what's picked up, it then creates 11 exe files, I'll explain here. Obviously, we can't keep deelting it this way.So do this. When BHO detects a change after it removes the dll, lets say, ntxj32.dll, don't delete or let it fix it, what we have to do is look for the exe files it created

when we deleted the previous dll, so in this case it would be

 

ntar32.exe all these files are 19kB/s in size.

ntan.exe

ntdg.exe

ntjb32.exe

<AND SO ON, SHOULD BE 11 OF THEM>.

 

or any files that have "nt" at the beginning, just like the dll, and that are the same files size, if it's a different file size, don't delete it. But, Im sure there wont be.

 

Now this makes it easier, because, not only can we find these files by it's file size being the same, but now, we also know that it creates exe files with the same 2 letters

as the dll, and these exe files are also the same file size, just not the same as the previous post and previous files I deleted.(This guy is smart)So either, order the windows folder to file size, or by name. And find them that way.

 

I think I'm getting closer to what it's actually doing, and how to catch it before it makes these files again in another name, size and extention. But now, atleast we can identify it easier as this is the pattern.

 

Once you delete the dll BHO picks up, it wil then make another dll in another name and another size as the previous dll we delete, with 11 exe files with the first two letters of that dll it creates.

 

It creates 11 exe files, and lets any spyware detector find the dll, because it doesn't matter if you delete it, the programmer that made this knows, that these arent the files we gotta delete. So if I have a theory on this, if I delete these 11 exe files before I delete the dll, then I think it wont occure, if it does, then it is another program that hes got as backup incase someone like me found the pattern, if so, I think I'm

(or we're) shit outta luck until some expert can figure this pattern out and find the main program to fix. Even though others have fixed this, there are others that haven't, even after using BHOdemon and everything else possible.

 

Be back if I see something new.

[iq454 0]

I think I got it.

 

Remember them 11 exe's I said it creates? well, it doesnt create them first if we delete the dll, it makes dat's, if we delete the dat's it makes exe's, I believe this is to through us off course. But 11x19=190kB, if you remember I have left the other exe files that the other dll created on my pc also

(because I wasent sure to delete them), if we go back to the top, we'll see that the total file size of them 4 dat's and 1 dll = 455kB>

The total for those 11 exe's =11x19=190, but because I never deleted the other exe's that were made from the previous dll that was deleted, it will be two sets of exes to each dll now

making it total 380kB. I think we're looking for a file that is 75 kB/s in size, I think this is the main program that's the cause of all the re-creations. I think that if we delete these

files, it makes the same files, but with dfferent sizes, names and extentions.

 

Ill be back to post more if I'm right

[iq454 0]

Hey, I think I narrowed it down now :)again..lol

 

I just thought of something, these exe files I found, well, I found more of them, only in another name, but same file size, I think that these exe files are replicating 11 exe files

alphabetically.

 

ajkl.exe

 

bstsl.exe

 

cfe32.exe

 

and so on.

 

Instead of creating them when we delete the dll as I said before, its creating them as we speak from the previous exe's left behind, so if we delete them as well, then they will load the others.

 

I think I have it, all the files are already on the system recreating themselves all the way to "z"

 

So I think we have to find all of them and delete them all at the same time.

 

Maybe I'm wrong, but I'll check. Be Back

[iq454 0]

OKAY guys, I think this is it....for real this time

 

okay, the new dll found by bho was "javatm.dll", and the new exe fies created were.

 

javacm.exe

javadp32.exe

javalb.exe

javaqp32.exe

javatn32.exe

javaug32.exe

javaut32.exe

javavd32.exe

javawe32.exe

javaww.exe

javayr.exe

 

all are 19 kB in size, even all the others with different names to the dll's previous to this new one I got are this size, so we have got the bastards.

 

You see, it makes exes of the dll, or, the previous dll deleted made these first, then the dll, either way, we gotta delete these.

 

OH, and if you delete the exe's and not the dll, the dll will make a new set of exe's for itself, incase you delete the dll(sneaky), and if you delete the dll first without deleting the corresponding exe's, then those exe's will make a new dll(sneaky) with a random name, and then that dll will create another set of exe's to match. So you have to delete the dll and the exe's together, otherwise it will just go on and on.

 

If you have been deleting the dll's and not these exe's, then then you will either have to remember those dll's names you dleleted so we can find them, or just use the 19kB file size to judge, then just see if there's 11 of them, and you need to get all of them together, dll's and exe's.

 

Hope this helps. I'm in the process now of testing this, I'll post back soon on the results.

 

PS: This is why BHO doesn't work for some of you, because BHO only picks up one file at a time,(the active one)and not the rest, because the rest are turned off and BHO thinks that their harmless. So again, as soon as you delete the actve one(whatever BHO picks up), it will then turn on the others, and they will start all over again. So again, we need to dlelete them all together.

[Edited by iq454 on 2004-09-08 08:07:12]

 

[Roddan 0]

Try this site to fix your problems

http://cgi.f-secure.com/cgi-bin/search.c...earch&sp=sp

[iq454 0]

Yes, IT WORKED.

 

I'll run you through the procedure exactly. I'll try to explain as best I can.

 

Open your Windows folder and your Windows\system32 folder at the same time and order them both by size.

 

Now, because the files name might be different for all of us(or even the size for that matter), we have to work off the files size...If yours is different, you can see what to do anyways.

 

These are the sizes to look for(In my case anyway).

 

19, 56 and 91 and 96 kB in your windows folder AND

 

32, 64 and 96 kB in your system32 folder.

 

The way to find these files is it to check by hovering your mouse over each and every one. If it's part of this hijack, it will not display its type, description or who made it(microsoft or whoever).

 

So, start in your system32 folder and find all the files that are 96kB, hold the "ctrl" key and hover the mouse over it, if no type, description or who made it is displayed, then highlight it, while still holding the "ctrl" key, go up to the next file and check it also, if it has a type, description, and who made it, then DON'T highlight it and move on like this until you get all files 96kB in size. DONT DELETE THEM YET. Keep going up until you find all files that are 64kB also, and do exactly the same thing, then do the same for the files that are 32kB.

 

Once you have them all highlighted, go to your windows folder that should already be opened and find the file that BHOdemon reported,(it will take 30 seconds to create a new dll) so this is enough time, because all the files we need to delete are already highlighted. ;)The only one we have to take a few seconds to get to is the file in windows folder that BHO reported.

 

Now delete all them files you highlighted in your system 32 folder, it will then say "this is a system file, if you delete it, blahblahblah" just delete it as this might be the main program that started it all, if it really is a system file we need, then it will say who made it(microsft or whoever) when we hover the mouse over it, but if it didn't, then it belongs to this hijack(Because all legit files have a description and who made it). Then quickly go into your windows folder and delete that file BHO reported.

 

That's it. Hijack defeated.

 

You see the pattern this hijack made? The person who made it was so smart, that if someone like me found the files to delete, then the main program (in system32 folder) would make the same hijack, only in another type of file and maybe location too, but it only goes between windows folder and system32 folder(like exe's, dll or txt), and if we found those exe's or whetever and deleted them, it would then make a main dll of 64kB and an exe or 32kB equaling 96 kB, or an "ocx" of 64kB and a "exe" of 32kB equaling 96kB, and if we found those dll's, ocx's, txt's, or exe, it would then make another dll or exe or txt equaling 96kB, the program or hijack actually does have and end thank god.

 

All of this was to throw us of course, and anything that scanned it. But now we can see that the whole hijack was in a main file of 96kB, don't know which one, but we know what its size is.

 

Again, if we leave the exe's and delete the 96kB dll file only, those 3 exe's would then make either, another dll of 96kB, or make 3 exe's(because remember, each exe is 32kB 3x32 is 96, then those 3 exe's "might" make more exe's of itself incase we found the pattern, and found out how to look for it would be by the file size(like I did)because remember I found 11 once?. This might be because I was deleting dll's before all this, and it just kept creating extra exe's.

 

May be confusing, but that's that pattern and how I defeated it.

 

And no virus, spyware or even BHO program can detect this, because the main one(s) are turned off, until the one that is active is deleted, which is the one BHO or spyware programs will detect, which is uselss in ths case.

 

Have a nice day.

 

PS: If you have problems, you can reach me @ neobot@the-pentagon.com