persistent IE hijacker.... need help to eliminate! - GoFuckYourself.com

gayJesus · 06-17-2004, 08:22 AM

i've picked a disease that just won't go away.... i 've tried spybot, spyware, spyguad, CWshredder and the damn thing just won't go away

everytime i try to open this ur:
res://wzszd.dll/index.html#96676

tries to become the home page. a varient of the url tries to become ie's search page

any ideas on how to get rid of this sucker?

thanks

ATL_Ryan · 06-17-2004, 08:25 AM

What page is it taking you to?

SlickCash Brock · 06-17-2004, 08:26 AM

http://www.spychecker.com/program/hijackthis.html
Try this it should do the trick for you. Hijackthis!

loverboy · 06-17-2004, 09:29 AM

Ad-aware 6.0

Jace · 06-17-2004, 09:55 AM

Quote:

Originally posted by loverboy
Ad-aware 6.0

VideoJ · 06-17-2004, 10:28 AM

Quote:

Originally posted by SlickCash Brock
http://www.spychecker.com/program/hijackthis.html
Try this it should do the trick for you. Hijackthis!

collegeclam · 06-17-2004, 10:32 AM

noadware.net finds things adaware and spysweeper dont, and theres this thing called "bazooka" that finds the problem, but only tells you how to get rid of it manually.

adaware ive found doesnt find as much stuff as spysweeper and noadware. spysweeper also takes forever to run, whereas adaware runs extremely fast.

gayJesus · 06-17-2004, 11:48 AM

i've tried adware, spybot, spycatcher.. cwshredder.... edited the registry...

nothing's working so far.

SlickCash Brock · 06-17-2004, 12:03 PM

Hijackthis would not remove it?

Antxx · 06-17-2004, 06:23 PM

If it's the same shit i had...You need to get rid of it with Norton in safe mode. This is surely an EPS system software. Read this, you will need hijackthis:

http://forum.gladiator-antivirus.com...howtopic=14946

http://forums.thetechguys.com/showth...?t=5322&page=2

It would have install a couple of files with cax filename in it, like cax.dll , msrtcax.exe, and a cax plugin in downloadedprogram folder in Windows folder.

BlueQuartz · 06-17-2004, 06:50 PM

hijackthis is what you need bro

pussyluver · 06-17-2004, 07:42 PM

Quote:

Originally posted by BlueQuartz
hijackthis is what you need bro

google engineers will help if you send them the hijackthis output. Hint, make google you're home page 1st or try anyway. At least tell it was.....

prob with regedit is they prolly use some IP addresses or other sneaky tricks.

Other than that reformat the harddrive and start over.

jukeboxfrank · 06-17-2004, 09:19 PM

check your hosts file to make sure your real homepage is not
redirected.

Hue G. Pness · 06-17-2004, 09:30 PM

Get Mozilla firefox. I know I know. You have heard it before. The latest release of Firfox is sweet though and doesn't fuck up pages. Added bonus... NO FUCKING HIJACKS. I recently switched to it a few weeks ago and fucking love it. I was a huge IE advocate until then. Tab browsing rules. No hijacked shit rules even more. No constant patches due to ever increasing exploits rules even more. I will never go back to IE.

KRosh · 06-17-2004, 10:06 PM

Install this....and post the results and we wil help you.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Face (o_0) · 06-18-2004, 12:31 AM

wow ive got the exact same problem!

gayJesus · 06-18-2004, 01:31 PM

here's the hijackthis log as requested:

Logfile of HijackThis v1.97.7
Scan saved at 1:28:26 PM, on 18/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\system32\msme.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\WINDOWS\apist32.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzszd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzszd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wzszd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wzszd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.bbc.co.uk/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Aryeh Meir\Application Data\Mozilla\Profiles\default\nslohror.slt\prefs.j s)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FE085492-8FA7-A758-02DC-5ACA50A28BEB} - C:\WINDOWS\apist32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [apist32.exe] C:\WINDOWS\apist32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [msme.exe] C:\WINDOWS\system32\msme.exe
O4 - HKLM\..\RunOnce: [ipio32.exe] C:\WINDOWS\ipio32.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Pop-Up Blocker (HKLM)
O9 - Extra 'Tools' menuitem: Pop-Up Blocker (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

______________

now... what to make of it?

06-17-2004, 08:22 AM	#1
gayJesus Registered User Join Date: Sep 2003 Posts: 90	persistent IE hijacker.... need help to eliminate! i've picked a disease that just won't go away.... i 've tried spybot, spyware, spyguad, CWshredder and the damn thing just won't go away everytime i try to open this ur: res://wzszd.dll/index.html#96676 tries to become the home page. a varient of the url tries to become ie's search page any ideas on how to get rid of this sucker? thanks __________________ Uncut Cash Rocks Worshipping Uncut Cock 24/7

06-17-2004, 08:26 AM	#3
SlickCash Brock Confirmed User Join Date: Apr 2004 Location: Toronto Posts: 935	http://www.spychecker.com/program/hijackthis.html Try this it should do the trick for you. Hijackthis! __________________ [email protected] E-mail [email protected] ICQ# 315 496 668

06-17-2004, 11:48 AM	#8
gayJesus Registered User Join Date: Sep 2003 Posts: 90	i've tried adware, spybot, spycatcher.. cwshredder.... edited the registry... nothing's working so far. __________________ Uncut Cash Rocks Worshipping Uncut Cock 24/7

06-17-2004, 06:23 PM	#10
Antxx Confirmed User Join Date: Dec 2003 Location: Qubec, Canada Posts: 587	If it's the same shit i had...You need to get rid of it with Norton in safe mode. This is surely an EPS system software. Read this, you will need hijackthis: http://forum.gladiator-antivirus.com...howtopic=14946 http://forums.thetechguys.com/showth...?t=5322&page=2 It would have install a couple of files with cax filename in it, like cax.dll , msrtcax.exe, and a cax plugin in downloadedprogram folder in Windows folder. __________________ "Those who dream by day are cognizant of many things which escape those who only dream by night" -E A. Poe http://www.playhon.com http://www.living-glass.com

06-17-2004, 09:30 PM	#14
Hue G. Pness Confirmed User Join Date: Jun 2003 Location: Variable Posts: 1,237	Get Mozilla firefox. I know I know. You have heard it before. The latest release of Firfox is sweet though and doesn't fuck up pages. Added bonus... NO FUCKING HIJACKS. I recently switched to it a few weeks ago and fucking love it. I was a huge IE advocate until then. Tab browsing rules. No hijacked shit rules even more. No constant patches due to ever increasing exploits rules even more. I will never go back to IE. __________________ GFY Voice of Reason Last edited by Hue G. Pness; 06-17-2004 at 09:31 PM..

06-17-2004, 08:25 AM	#2
ATL_Ryan Confirmed User Join Date: Sep 2002 Posts: 1,519	What page is it taking you to?

06-17-2004, 09:29 AM	#4
loverboy When it rains, it pours Industry Role: Join Date: May 2003 Posts: 20,609	Ad-aware 6.0

06-17-2004, 10:32 AM	#7
collegeclam So Fucking Banned Join Date: Mar 2003 Location: philadelphia Posts: 239	noadware.net finds things adaware and spysweeper dont, and theres this thing called "bazooka" that finds the problem, but only tells you how to get rid of it manually. adaware ive found doesnt find as much stuff as spysweeper and noadware. spysweeper also takes forever to run, whereas adaware runs extremely fast.

06-17-2004, 12:03 PM	#9
SlickCash Brock Confirmed User Join Date: Apr 2004 Location: Toronto Posts: 935	Hijackthis would not remove it? __________________ [email protected] E-mail [email protected] ICQ# 315 496 668

06-17-2004, 06:50 PM	#11
BlueQuartz Confirmed User Join Date: May 2004 Location: Australia Posts: 1,971	hijackthis is what you need bro

06-17-2004, 09:19 PM	#13
jukeboxfrank Confirmed User Join Date: Apr 2004 Location: www.jenniferworthington.com Posts: 1,207	check your hosts file to make sure your real homepage is not redirected.

06-17-2004, 10:06 PM	#15
KRosh So Fucking Outlawed Industry Role: Join Date: Nov 2001 Posts: 5,114	Install this....and post the results and we wil help you. http://www.spywareinfo.com/~merijn/files/HijackThis.exe

06-18-2004, 12:31 AM	#16
Face (o_0) So Fucking Banned Join Date: May 2004 Location: Montreal, Canada Posts: 2,617	wow ive got the exact same problem!

06-18-2004, 01:31 PM	#17
gayJesus Registered User Join Date: Sep 2003 Posts: 90	here's the hijackthis log as requested: Logfile of HijackThis v1.97.7 Scan saved at 1:28:26 PM, on 18/06/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\WINDOWS\system32\msme.exe C:\Program Files\Norton Personal Firewall\NISSERV.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Norton Personal Firewall\IAMAPP.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\SpyCatcher\DeleteSatellite.exe C:\WINDOWS\apist32.exe C:\Program Files\SpyCatcher\Scheduler daemon.exe C:\junk\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://news.bbc.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wzszd.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzszd.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wzszd.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wzszd.dll/sp.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.bbc.co.uk/ N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Aryeh Meir\Application Data\Mozilla\Profiles\default\nslohror.slt\prefs.j s) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FE085492-8FA7-A758-02DC-5ACA50A28BEB} - C:\WINDOWS\apist32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" O4 - HKLM\..\Run: [apist32.exe] C:\WINDOWS\apist32.exe O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKLM\..\RunOnce: [msme.exe] C:\WINDOWS\system32\msme.exe O4 - HKLM\..\RunOnce: [ipio32.exe] C:\WINDOWS\ipio32.exe O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-sp.htm O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-sp.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Pop-Up Blocker (HKLM) O9 - Extra 'Tools' menuitem: Pop-Up Blocker (HKLM) O9 - Extra button: AOL Instant Messenger (TM) (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab ______________ now... what to make of it? __________________ Uncut Cash Rocks Worshipping Uncut Cock 24/7