Hello everyone. Ill get right to it. My home page has been hijacked to this adress, res://hihxl.dll/index.html#96676 . It is a page called “home search” with a coupled hundred links on it. Also apon starting internet explorer, a popup from “search-all-fast.com” appears, and then similar ones or the same one keep appearing frequently, as long as I am on the internet (I have dial-up), even if IE isn’t running. Now, I have Avast! loaded, updated, and running at it’s most secure level. Frequently when online a virus alert pops up saying that I am infected with win32:trojano-180, I delete it, and then a little while later it pops up again. So far in writing this message I have had 5. I have done numerous pre-windows xp loading scans at the highest level. In addition to avast! I have installed, updated and used Ad-aware, Hijack this, Spybot S&D, Spyware blaster, registry mechanic, and spyware doctor. Usually after a few days I can get bugs off, but am stumped this time. I have tried everything that I know how to do. Oh, also after using IE for a while, the trojan or whatever I have stops any data at all from being transmitted over my modem(I know that this is not my service provider as it started exactly when I was infected). That screen that says “this page cannot be displayed” is also different now, “kindly” offering other links to go to since the page is not available. Thanks everyone here. PS, Im running windows xp.
Hello!
Did you block the IE start page into Spyware Blaster?
Where is the trojan located? (file and path) Maybe you should empty your temporary folder and/or disable system restore (to empty it and enable it again) :
I’m not sure what you mean by blocking the start page. I have all of spyware blasters protection updated and enabled. I will list the places this trojan has infected so far (the ones that I’ve written down). These all start with C:/windows/ - apisf.exe, atlrr.exe, ntkq.exe, crbi32.exe, iehv.exe, msyj32.exe, apity32.exe, atlfq32.exe, sdkyf.exe, winaw32.exe. I have deleted them all.
PS, C:/windows/winsr.exe just popped up in avast while I was posting this. I deleted it.
SpyBot and SpywareBlaster have features to ‘lock’ the IE start page.
You said this in your first post, if I understood it correctly :
OK. I see in spyware blaster what you mean. I set everything in there to what it was before, and it worked for one time when I opened IE. The next time I opened it, its back to the wrong home page again.
So you have a trojan
Try a full scan with avast, a scan at boot time and, if you can, I suggest an on-line scanning by Trend Micro (www.trendmicro.com).
Maybe you can send an IM to whocares and ask for help.
See the virus board and read his advices: http://forum.avast.com/index.php?board=4;action=display;threadid=5373
You may also try this cleaner: http://www.downloads.subratam.org/AboutBuster.zip
after that, restart (stay offline!) generate a Hijackthis log (www.hjt.klaffke.de/en) and post it here or better in the virus and worms Forum.
That program, AboutBuster, seemed to find and delete a lot of stuff. I thought that it worked, because after doing that and then doing a boot scan with avast! Internet Explorer was reset to my home page and even after a couple re-loads of it it seemed to work smooth. Then, all of a sudden I got that trojano-180 warning from Avast! and now it’s back. Anyways, heres my log.
Logfile of HijackThis v1.97.7
Scan saved at 5:08:06 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\apiid32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll
O4 - HKLM..\Run: [mswspl] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [apiid32.exe] C:\WINDOWS\apiid32.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38164.8623263889
O17 - HKLM\System\CCS\Services\Tcpip..{BF97B015-1FF3-46FD-A784-709AC574A598}: NameServer = 63.93.64.20 63.93.64.21
Thank you for your help.
raman, I did not forget you but I didn’t know you were round in this part of the forums… Thanks for helping in this issue
Technical, ran102 post a topic in “virus and worms”!
Please fix the following entries in safe mode(!).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\prdhy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://prdhy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\prdhy.dll/sp.html#96676
O2 - BHO: (no name) - {372EF314-6508-92AB-732E-258B08992A73} - C:\WINDOWS\d3uc.dll
Rename these files:
C:\WINDOWS\d3uc.dll
C:\WINDOWS\apiid32.exe
and send them packed and passordprotected to virus(at)asw.cz