unstoppable spyware/virus - please help 3

[rlaeromech]

I seem to have a spyware or a virus that nothing can fix. It changes my homepage to "about:blank" and that is a search page with no name. It also sends pop-ups that tell me I have spyware installed and to click the add to get software to remove it. The pop-ups breack through my adsgone software. I have run ad-aware, hijack this, cwshredder and spybot. Hijack this finds the R1 and R0's and I delete them as well as a BHO wchich shows a *.dll file in my winnt/system32 folder. I have tried to delete the dll file, but it won't let me because the file is in use. So I changed the name of the file and then deleted it. But then it reproduces itself under a different *.dll name and does the same thing. I am running an online virus scan again at trendmicro, but I have done this before as well. Ad-aware finds some objects as well as some files and they have been deleted. But somewhere I have a virus I think that is running in the background and I can't find it. Anyone help?!!!

 

[diogenes10]

No promises-3 things you could check:

Thread760-824753
missleman comment may 7 mentions a program which you could try.

http://www.spywareinfo.com/~merijn/

Brand new June 1 comment which may relate to your situation.

http://www.spywareinfo.com/~merijn/cwschronicles.html

Variant 39 contains comments about using a couple of programs.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[jrbarnett]

This is how to read a HijackThis log file:
It does take a bit of time to process.

http://www.tek-tips.com/faqs.cfm?spid=760&sfid=4897

John

 

[crackn101]

It would help if you posted your hijack-this log.

 

[shrubble]

AHHHH- I just posted an FAQ for spyware removal... do you wanna be the first daring soul to give it a shot?

deletion mistake
no I can't recover that
you didn't save it

-Shrubble

http://www.ishrubble.com

 

[rlaeromech]

When you use the word "daring", that makes me a little cautious, what does it involve?

 

[shrubble]

It's a piece of cake! Seriously, just click the FAQ tab up top, you'll see my post.

deletion mistake
no I can't recover that
you didn't save it

-Shrubble

http://www.ishrubble.com

 

[bcastner]

http://www.spywareinfo.com/forums/index.php?showtopic=43970

http://www.spywareinfo.com/forums/index.php?showtopic=43492

 

[diogenes10]

http://www.spywareinfo.com/forums/i...5057b2e0da&showtopic=43492&st=30&#entry219322

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

oops sorry bcastner, I was hunting while you were writing.

rlaeromech
You need to read through bcastner's ref to see what you're dealing with here. This is a very tricky problem and a lot of good heads have been investing a lot of effort into figuring out how to get rid of it.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[tdenitti]

I've run into this about:blank homepage before as well. Yesterday as a matter of fact. I used bazooka spyware/adware removal tool from

http://www.kephyr.com

and ad-aware from

http://www.lavasoftusa.com.

Also look for a directory in your C:\Program Files directory named Lycos. If this directory exists delete the whole thing. The Lycos folder might contain 2 subdirectories named IEAgent and SideSearch. Don't worry about deleting these. You might have to boot into safe mood or end all non-Windows processes to do so but it will work. After manually deleting the Lycos directory, follow this up by a scan by Bazooka and Ad-Aware. Hope this helps.

 

[rlaeromech]

sorry so long, here is my log from hijack this. This is after I have been infected. I can fix the R1 and R0's and also the 2nd BHO. I have even tried to delete the file listed in the BHO but it won't let me. I have tried to rename and that works for a little bit but then it comes back under a new name. I believe it is also letting pop-ups get through my pop-up blocker and I am pretty sure I have spyware. Here's the log:
Logfile of HijackThis v1.97.7
Scan saved at 8:37:14 AM, on 6/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\XSM.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\PROGRA~1\NORTON~1\QServer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00CB775B-609C-432D-8176-F4C87BF2ADBB} - C:\WINNT\system32\akffkje.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPagePro11.0\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: AdsGone 2003.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Scansoft\PaperPort\xdcla.exe
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AdsGone (HKLM)
O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/033415bb5e93195dfd19/netzip/RdxIE601.cab

 

[diogenes10]

Have you read bcastner's links and made an effort to apply the info there?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rlaeromech]

I did and I think it worked. It wasn't that hard at all.

 

[diogenes10]

Great!

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[jrbarnett]

Hi

There are two different xsm.exe programs: one is a virus

http://www.sophos.com/virusinfo/analyses/w32spybotap.html

but the other is a legitimate piece of software (part of the X windowing system client on cygwin)

Other than that, the following items should be fixed with HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\akffkje.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00CB775B-609C-432D-8176-F4C87BF2ADBB} - C:\WINNT\system32\akffkje.dll

I'd run a full virus scan and spyware scan over your machine after removing this lot.

John

 

[diogenes10]

The O16 entry is also commonly recommended for removal, I've no idea if its presence would cause a reinfection of cws.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rlaeromech]

well what I thought had worked simply delayed the process. The file showing up in the value section of reglite is called winelbj.dll. I clear it after I change the directory to notwindows and then change the directory back. But when I go to DOS to find the file, its not there to delete. So it eventually comes back. what now?

 

[dstcroix]

You have been hi-jacked probably by the Startpage.4.A0 trojan. I had the exact same thing happen to me. I tried everything possible to get rid of it, all to no avail.

It seems this nasty little bugger loads up when Windows and/or IE starts up. Everytime a .dll was detected as a trojan, it just kept coming back with a different .dll file. Nasty!

Like I said I could not get rid of it, neither could anyone else on the net apparently (and Symantec doesn't even detect this trojan).

The bad news is that I had to format the C: drive and reinstall Windows. The good news is that this worked and also prompted me to get a hardware firewall.

Sorry to hear about that particular hi-jacking and best of luck. Do a search for Startpage.4 and perhaps something new has come up in the last few days.

Deanna

 

[rlaeromech]

was the file named winelbj.dll like mine or did it have a different name.