home page virus help

Discussion in 'Software Q&A' started by vikasg03, Feb 15, 2006.

Thread Status:
Not open for further replies.
  1. vikasg03

    vikasg03 New Member

    Joined:
    Oct 8, 2005
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dubai
    hello

    my home page hijeck by trojen virus. home page change to findthesiteyouneed.com. and unknown sites are open automatically in the interval of two mins. please help

    vikas
     
  2. ashu888ashu888

    ashu888ashu888 Core i7 (nehalem) Owner

    Joined:
    Jan 22, 2005
    Messages:
    3,472
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    Mumbai
    Did u scan ur PC with any s/ware or not?? like an AV (anti virus) or an Anti spyware? if not do ,this:

    Install free s/wares like:
    Ad Aware (get it here): www.download.com/3000-2144-10045910.html and...
    Spybot S&D 1.4 (get it here): www.download.com/3000-2144-10122137.html

    Update the Definitions and perform a full system scan.Also do an Virus scan by using a reputed AV (anti virus) tool and post ur results.

    Cheers n e-peace.....
     
  3. OP
    OP
    vikasg03

    vikasg03 New Member

    Joined:
    Oct 8, 2005
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dubai
    I already use these softwares and tools but problem remains same.

    1. spyware doctor
    2. Trojan remover
    3. ad aware
    4. spyware-search and destroy
    5. System mechanics 6.0 pro
    6. spyware guard
    7. Anti trojan shield
    8. bug doctor
    9. stinger

    ......... and many more
    these s/w are find out 500+ trojans/registry errors and fix it also.

    main problem is illegal/or unwanted sites are open automatically in regular interval. without doing anything on net.

    vikas
     
  4. OP
    OP
    vikasg03

    vikasg03 New Member

    Joined:
    Oct 8, 2005
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dubai
    I already use these softwares and tools but problem remains same.

    1. spyware doctor
    2. Trojan remover
    3. ad aware
    4. spyware-search and destroy
    5. System mechanics 6.0 pro
    6. spyware guard
    7. Anti trojan shield
    8. bug doctor
    9. stinger

    ......... and many more
    these s/w are find out 500+ trojans/registry errors and fix it also.

    main problem is illegal/or unwanted sites are open automatically in regular interval. without doing anything on net.

    vikas
     
  5. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    disable active protection of all ur software like spywareguard, etc.
    change ur homepage to 'abot:blank" from the the ie internet options, or restore browser settings using ms anti-spy's system tools>restore browser settings..

    clear ur pc junk using freeware 'ccleaner'.
    then lock ur start page using spywareblaster or msantispy or spyguard.

    run ur anti-spys like ms antispy or others in safe mode.
    then restart ur active protections, if any. allow detected registry changes.

    if it dznt help, post ur hijackthis logfile here.
     
  6. OP
    OP
    vikasg03

    vikasg03 New Member

    Joined:
    Oct 8, 2005
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dubai
    nothing help me

    how to remove this message in vb "save changes to the following files "


    hello

    nothing will help me. I donot want to format my system because this will show my defeat against virus. My problem is again same . Many websites open automatically without my intervention. some examples are listed below. i m also send log file of hijeck this. my PC infected with drsmartload and winsysupd* series virus. i every daya remove entries from registry and c:\windows folder but virus create again .please help

    vikas

    list of sites open automatic are

    www.findyoursite.com

    http://www.intern-etadvertising.com/normal/yyy102.html

    http://www.inter-netsuggestions.com/normal/yyy102.html

    http://popunder.paypopup.com/adsDir...d=&campaign=&type=&ref=&rurl=&clater=&defurl=

    http://www.hug-ediscounts.com/normal/yyy102.html


    log file of hijeckthis is

    Logfile of HijackThis v1.99.1
    Scan saved at 3:28:04 PM, on 2/17/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\ora9ids\bin\agntsrvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\MSTask.exe
    C:\ora9ids\bin\dbsnmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\system32\inetsrv\inetinfo.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINNT\system32\rundll32.exe
    C:\windows\winsysban9.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\cidaemon.exe
    C:\WINNT\system32\cidaemon.exe
    C:\ora9ids\bin\ifbld90.exe
    C:\WINNT\system32\cmd.exe
    C:\ora9ids\jdk\bin\java.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\ora9ids\bin\sqlplusw.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\ora9ids\bin\rwbuilder.exe
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\ora9ids\bin\ifweb90.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 133.147.171.220:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\cbxuv.dll
    O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINNT\system32\byxxy.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [WinDLL (xvd32.dll)] rundll32.exe C:\WINNT\system32\xvd32.dll,start
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://133.147.224.71/tsweb/msrdp.cab
    O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) - http://avinashkumar:8889/forms90/jinitiator/jinit.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{50318F97-3595-4A06-9F6F-D0B464DFB0D8}: NameServer = 203.122.63.152,203.122.63.154
    O17 - HKLM\System\CS1\Services\Tcpip\..\{50318F97-3595-4A06-9F6F-D0B464DFB0D8}: NameServer = 203.122.63.152,203.122.63.154
    O17 - HKLM\System\CS2\Services\Tcpip\..\{50318F97-3595-4A06-9F6F-D0B464DFB0D8}: NameServer = 203.122.63.152,203.122.63.154
    O20 - Winlogon Notify: byxxy - C:\WINNT\system32\byxxy.dll
    O20 - Winlogon Notify: cbxuv - C:\WINNT\SYSTEM32\cbxuv.dll
    O20 - Winlogon Notify: Telephony - C:\WINNT\system32\lv2o09f3e.dll
    O20 - Winlogon Notify: winbmf32 - C:\WINNT\SYSTEM32\winbmf32.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Oracleora9idsAgent - Oracle Corporation - C:\ora9ids\bin\agntsrvc.exe
    O23 - Service: Oracleora9idsClientCache - Unknown owner - C:\ora9ids\BIN\ONRSD.EXE
     
  7. swatkat

    swatkat Active Member

    Joined:
    Mar 12, 2004
    Messages:
    2,060
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    Shimoga/ಶಿವಮೊಗ್ಗ
    Re: nothing help me

    Hi,
    Make Windows to show all files:-
    Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.


    Can you do one thing? Navigate to the C:\WINNT\system32\ folder and locate this file byxxy.dll and then ZIP it, and upload it at RapidShare ( www.rapidshare.de ) and give me back the download link.


    Download VundoFix.exe to your desktop. Double-click VundoFix.exe to extract the files. This will create a VundoFix folder on your desktop.


    After the files are extracted, please reboot your computer into "Safe Mode". You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.


    Once in "Safe Mode", delete this file:-
    C:\windows\winsysban9.exe


    Next, open the VundoFix folder and double-click on KillVundo.bat.
    You will first be presented with a warning. It should look like this:
    At this point press "Enter" one time.

    Next you will see:
    At this point please type the following file path (make sure to enter it exactly as below):
    C:\WINNT\system32\byxxy.dll

    Press "Enter" to continue with the fix.

    Next you will see:
    At this point please type the following file path (make sure to enter it exactly as below):
    C:\WINNT\system32\yxxyb.*


    Press "Enter" to continue with the fix. The fix will run and HijackThis will open. If it does not open automatically, please open it manually.

    In HijackThis, please place a check next to the following items:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINNT\system32\cbxuv.dll
    O2 - BHO: ADOUsefulNet Object - {EFF1B7BE-A875-450E-AD69-E93457DCEE6A} - C:\WINNT\system32\byxxy.dll
    O4 - HKLM\..\Run: [WinDLL (xvd32.dll)] rundll32.exe C:\WINNT\system32\xvd32.dll,start
    O20 - Winlogon Notify: byxxy - C:\WINNT\system32\byxxy.dll
    O20 - Winlogon Notify: cbxuv - C:\WINNT\SYSTEM32\cbxuv.dll
    O20 - Winlogon Notify: Telephony - C:\WINNT\system32\lv2o09f3e.dll
    O20 - Winlogon Notify: winbmf32 - C:\WINNT\SYSTEM32\winbmf32.dll
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


    After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."

    After you have fixed these items, close Hijackthis.

    Press "Enter" to exit the program, then manually reboot your computer..


    Now, download L2mfix from one of these two locations:
    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.


    Copy the contents of that log along with a NEW HijackThis log. (Dont forget to upload the ZIPPED file at RapidShare ;-) )

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.
     
  8. swatkat

    swatkat Active Member

    Joined:
    Mar 12, 2004
    Messages:
    2,060
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    Shimoga/ಶಿವಮೊಗ್ಗ
    Also, while you are in safe mode, BEFORE running the VundoFix, do this step:-
    Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Network Monitor and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".

    And, delete this folder:-
    C:\Program Files\Network Monitor
     
  9. OP
    OP
    vikasg03

    vikasg03 New Member

    Joined:
    Oct 8, 2005
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dubai
    i already remove that file from one software.
     
  10. longhorn

    longhorn New Member

    Joined:
    Feb 24, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    lucknow india
    dont worry for it, just use microsofts antispyware beta version for all the trojan and home page hi jack , it will remove your home page hijaker.
    u can download it from microsoft for free.
     
  11. Earl1983

    Earl1983 New Member

    Joined:
    Nov 14, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0

    Try use ANTI TROJAN SHIELD its a goot tool to remuve trojan viruses!)
     
  12. Net007

    Net007 Guest

    Download trial version of Kaspersky Antivirus and update it. Then check your computer for viruses. This will solve your problem.
     
  13. ico

    ico Super Moderator

    Joined:
    Jun 14, 2007
    Messages:
    10,921
    Likes Received:
    112
    Trophy Points:
    63
    This thread is very old (1.5 years). I think that 'vikasg03' has already solved his problem.
    An advise for others: use Trojan Hunter for removing Trojans.
     
Thread Status:
Not open for further replies.

Share This Page