Can't change homepage back to normal (or:need help plz! real badass spyware!)

metomeyametomeya New
edited June 2004 in Spyware & Virus Removal
Everytime my IE homepaged changed, i reset my registry and then everything was fine. This time its different! I went to HKCU>SOFTWARE>MICROSOFT>INTERNET EXPLORER>MAIN to recover START PAGE, SEARCH PAGE, DEFAULT_START PAGE, and DEFAULT_SEARCH PAGE, and i did the same in HKLM. When i restart the pc, i checked the registry again and everything looked good, and the default start page was set back to msn.com. However, as soon as i launch IE, the homepage was changed back to res://gapyv.dll/index.html#96676 so were all the registry entries i previouly recovered manually.

i've never seen this case b4. And what the hell is res://gapyv.dll/index.html#96676 ? Does it launch the dll file and reset the registry? i was brought to a page named HOME SEARCH though. I suspect something remains in the RUN directory of HKCU or HKLM and i deleted everything suspicious. But one entry that launches a file named javazo32.exe in system32 keeps coming back whenver i launch IE. I dont know if that entry is of any threat but that thing and all the start page entry things seem to be related to the launch of IE.

i tried searching the registry with keywords like "res://gapyv.dll/index.html#96676" and "javazo32" and i deleted every result i got but then still the start page entries as well as javazo32 just kept coming back. the javazo32 might be another thing though.. dunno.

I am so sick of this! i even tried anti spywares like adware, cwshredder, spy stopper but all in vain. Could anyone help me? Does anyone who knows the registry really well help me delete the source entry?? Or just any advice i would be grateful!

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    Now now, you've been around long enough to know better :D

    Post a HJT log and we'll take a look at it! :woowoo:
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    HijackThis (HJT) can be found via the link in my sig, if you cannot find it.

    Be sure to put it in it's own directory before running to keep stuff organized.
  • metomeyametomeya New
    edited June 2004
    Ya sorry i'm retarded. Actually i posted this for a someone from forums.devhardware.com Heres his log and the rest is his message:

    Also if you could check out this thread its the original http://forums.devhardware.com/showthread.php?t=22612

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\ati2evxx.exe
    C:\WINNT\system32\CTSvcCDA.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\sysvg.exe
    C:\WINNT\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\system32\P2P Networking\P2P Networking.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\mfcub.exe
    D:\Program Files\FlashGet\flashget.exe
    D:\dl\HijackThis.exe

    Registry:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gapyv.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gapyv.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gapyv.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gapyv.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gapyv.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gapyv.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -     C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {F016EFF6-7206-8B10-B2DA-2E5F3C5E643C} - C:\WINNT\winxi.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mfcub.exe] C:\WINNT\mfcub.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_FR.cab
    O16 - DPF: {0F706A25-2496-4746-8589-74CFE4213760} (XBeat.XBeatCtl) - http://storage.18x.cx/XBeat.CAB
    O16 - DPF: {12B1DDB9-F2CC-4783-A02A-257111B096FA} (XSando.XSandoCtl) - http://www.narazuke.com/~moro/exe/XSando.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {18BF3D37-CA57-4449-BEED-973927FFCCBD} (XAiko.XAikoCtl) - http://www.yuria.org/exe/XAiko.CAB
    O16 - DPF: {19E0F68F-C0EF-4241-B876-A3D646995895} (XCherry.XCherryCtl) - http://www.ccremon.com/card/cab/XCherry.CAB
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {395C1A95-16CD-4BA8-A147-679BB19C19DD} (XRobby.XRobbyCtl) - http://storage.pinkyellow.com/XRobby.CAB
    O16 - DPF: {41770406-8D8B-4E77-81BD-459F191F4347} (XEng003.XEng003Ctl) - http://cutygirls.net/pink/003/XEng003.CAB
    O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.c...sharingctrl.cab
    O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.sinago.com/download/OroCheck.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared...76/mcinsctl.cab
    O16 - DPF: {596546D4-3213-4376-923E-3251CFA2511E} (XBokkori.XBokkoriCtl) - http://210.188.252.101/html/exe/XBokkori.CAB
    O16 - DPF: {69A4F9FF-E915-11D5-A9F1-009099104002} (XDialer Class) - http://geisya.1496i.net/XDialer2.CAB
    O16 - DPF: {774B3774-B7D5-47DA-99E0-CFD36A4208DB} (XPixy.XPixyCtl) - http://storage.pinkyellow.com/XPixy.CAB
    O16 - DPF: {99888952-AC62-437C-AFC6-7B5CF05A7F2F} (IEDown Class) - http://download.ourgame.com/IEDown.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...37867.750150463
    O16 - DPF: {A04437A7-968F-41B0-9622-BCA666D7188F} (XPaco.XPacoCtl) - http://storage.18x.cx/XPaco.CAB
    O16 - DPF: {A424AD33-B192-4B0F-8D46-A90543F8C535} (XEng005.XEng005Ctl) - http://iii.tv/pink/005/XEng005.CAB
    O16 - DPF: {A5E3B21E-CCBB-450E-9D0C-EEF06076B856} (XEng026.XEng026Ctl) - http://iii.tv/pink/026/XEng026.CAB
    O16 - DPF: {B15108AA-D8D0-480D-B535-07E18D6549A8} (XBurger.XBurgerCtl) - http://www.ccremon.com/card/cab/XBurger.CAB
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab
    O16 - DPF: {BD092CD7-AA66-4FF6-8CE1-D4E01489ED2B} (VacPro.UserControl1) - http://www.7adpower.com/dialer/EMSAT.CAB
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download...ptdmgainads.cab
    O16 - DPF: {CF051549-EDE1-40F5-B440-BCD646CF2C25} (Ppinstall Control) - http://www.163.com/wwwimages/sms/ppinstall22.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab


    I highlighted what keep coming back once IE is launched no matter how many times u removed them mannually or with Hijack. i tried deleting the mfcub.exe in my hard disk which is in the registry RUN section, but next time there will be a new file with another name in the same section whenever i open IE. Last time in my first thread it was called javazo32.exe. Good job.
    Are there any other bad entries in the registry? and what can i do?
  • JGK150
    edited June 2004
    It always amazes me why people come for help if they go to sites like cutygirls.net for on-purpose desires :P

    O16 - DPF: {41770406-8D8B-4E77-81BD-459F191F4347} (XEng003.XEng003Ctl) - http://cutygirls.net/pink/003/XEng003.CAB


    Oh, and by the way, Even JP people use HiJackThis: Go go anti-hazard-ware!

    http://higaitaisaku.web.infoseek.co.jp/htexample2.html

    XD


    And i ran a search on that XBurger.CAB file from:
    O16 - DPF: {B15108AA-D8D0-480D-B535-07E18D6549A8} (XBurger.XBurgerCtl) - http://www.ccremon.com/card/cab/XBurger.CAB

    And found this site:

    http://forums.techguy.org/showthread.php?threadid=142824&d0d3987037f4fd6464941539294fb3b1

    What the third post in that thread from the link I posted may be helpful.
  • JGK150
    edited June 2004
    Did any of this help?
  • muddocktormuddocktor
    edited June 2004
    metomeya, that HJT has some nasties in it. Tell this person who has this machine to install and run both Ad aware and Spybot Search & Destroy 1.3 after updating their definition files, then come over here and post a new HJT log. This one will be a little too complicated for them to do without directly posting here, I think. I already found one keylogger in 5 minutes of searching and a bunch more entries that look like they might be nasty too.
Sign In or Register to comment.