windowws.cc home page hijack

Unknown

Please Help! I have been hijacked by a (trojan?). My internet homepage address keeps changing to http://www.windowws.cc/hp.htm?id=191, as well popups then come up like, you have spyware detected, etc.

I have ran a hijackthis log and ran buster on it in safe mode and as well as adaware. I still have the problem.

Logfile of HijackThis v1.97.7
Scan saved at 7:01:40 PM, on 9/03/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\sgfd3d91vdnb.exe
C:\WINDOWS\System32\sgfd3d91vdnb.exe
C:\Program Files\highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=191
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mybc.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ltr16fudebdry.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgfd3d91vdnb.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial6/058439ca.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37952.6719444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

what is my course of action???

thank you
Phoenix1

primesuspect

You are not gonna believe how easy this is.

Check me out

get rid of the following:

0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=191
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mybc.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ltr16fudebdry.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgfd3d91vdnb.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial6/058439ca.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7952.6719444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab


You're not gonna want XXXtoolbar on the same computer that nick.com is on. That tells me that kids use this computer and someone looks at porn on this computer. Bad combo..

Anyways, next, set your computer to show hidden files and folders and then manually find and delete these files:

C:\WINDOWS\System32\ltr16fudebdry.dll
C:\WINDOWS\System32\sgfd3d91vdnb.exe

Then, you are good to go. sweet, ain't it?

Phoenix1

primesuspect wrote:

You are not gonna believe how easy this is.

Check me out

get rid of the following:

0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=191
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mybc.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ltr16fudebdry.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgfd3d91vdnb.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://63.217.31.12/dial6/058439ca.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7952.6719444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab


You're not gonna want XXXtoolbar on the same computer that nick.com is on. That tells me that kids use this computer and someone looks at porn on this computer. Bad combo..

Anyways, next, set your computer to show hidden files and folders and then manually find and delete these files:

C:\WINDOWS\System32\ltr16fudebdry.dll
C:\WINDOWS\System32\sgfd3d91vdnb.exe

Then, you are good to go. sweet, ain't it?

Thanks, but this only worked for a breif second, and then it was back and new.dll and .exe were put into the system 32 directory. There seems to be alot of them in there and they keep changing names every time IE is opened. Do I have a combination of trojans affecting me?

HEre is a new log
Logfile of HijackThis v1.97.7
Scan saved at 9:46:12 AM, on 9/06/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\sgehvh3trg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinMX\WinMX.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=191
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\tzeny26xt99.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgehvh3trg.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cll5w98plh8k6w.exe
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Dexter

Some persistent entries.....try this. If you are not sure how to do some of the things I tell you, check the links I provide for instructions.

If you have not done so already, please first Run Ad Aware and Spybot S&D.
This is explained, along with several other things, in the link above titled Steps To Take Before Posting a Hijack This Log.

Please make sure that HijackThis.exe is in its own folder, as explained here.

Set your system to Show Hidden Files and folders.

For Windows XP or ME, Disable System Restore.

Reboot into Safe Mode.


Run Hijack This. FIX THE FOLLOWING:

**************




R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=191
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=191
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\tzeny26xt99.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)


O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgehvh3trg.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cll5w98plh8k6w.exe
O4 - Global Startup: winlogin.exe
O15 - Trusted Zone: *.greg-search.com


**************

Stay in Safe mode, manually locate the exe and dll files in the entries above, and quarantine them.

Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.

Please read our article on Defeating Spyware for tips on how to improve your Internet Explorer security, or to learn how to switch to a different browser. For more general information about spyware read this page.

If you are running Windows XP, and have not yet upgraded to Service Pack 2, please do so, especially if you plan to stay on Internet Explorer. SP2 introduces some security features to help protect you from unwanted downloads in Internet Explorer. Upgrade to XP Service Pack 2 here, courtesy of Short-Media's downloads section.

Finally, if you have not already done so, please take the time to find out more about Folding For a Cure, a good cause by which your computer uses it's spare power to help search for cures to diseases. We would love to have you on our Team.

Dexter...

Phoenix1

I did as you suggested: ran Adaware with current updates and ran Spybot with current updates. Then booted up in safemode, and ran hijack this, fixed required, and then quarantined the dlls and exes. rebooted and the windowws homepage comes back within seconds. and my address bar turns to http://296f8.ilxt.info/index.php?aid=191

I cannot access many websites, it says "The page cannot be displayed", for example Yahoo.com or Google.com, and when I try windows update, fram various sites, this nasty page keeps coming up http://296f8.ilxt.info/index.php?aid=191

My computer is getting beat up pretty good and as soon as I solve this attack I'm getting top notch anti virus software (if there is such a thing)

I've tried numerous variations, as well as direct instruction, of getting rid of this trojan and cannot. Does it matter that I have 3 profiles on the machine and they all have the same windowws home page problem?

I am getting close to reformatting my drive and installing all software over again, but am trying to get this fixed with all your guys help (not giving up without a fight)

Is anyone else getting this windowws.dll problem.

Dexter - one other thing, the winlogin.exe cannot be fixed in hijackthis as welll as I cannot end the process b/c it says it is critical. How to I get rid of this trojan?

Thanks
Phoenix1


Logfile of HijackThis v1.97.7
Scan saved at 8:48:05 PM, on 9/12/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\sgc93vfcxth9.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\highjackthis\HijackThis.exe

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\bt044watlh.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgc93vfcxth9.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095046386421

primesuspect

Do me a favor. Update HJT to the latest version (1.98.2) which can be found on our security downloads page (link in my sig).... Run that and give me a log from that version.