Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: hijacked browser - need to alter .dll  (Read 5392 times)

0 Members and 1 Guest are viewing this topic.

Kate99

  • Guest
hijacked browser - need to alter .dll
« on: April 26, 2005, 07:18:35 AM »
HI - My homepage (google) has been hijacked, and in properties the URL address of the page that appears is C:\WINDOWS\System32\spnxf.dll/blank.html

The page is an e-search page, with links to all sorts of adult / affiliate types of things e.g. *censored*, insurance, sex sites, prescriptions etc.

I also get pop ups for adult poker, sex etc at odd times.   The files keep getting added to my favourites even though I delete them.

I have been into spnxf.dll in notepad, and I can see all of the links contained within the junk (I have enclosed a *small part*  of it at the bottom of the message so you can see what I mean).

I have copied all of the text into another notepad file in case I ever needed it, but when I tried to delete the info in this file and save it, it wouldn't let me save.  

My question is How can I alter this file (safely) as I am sure that by doing so my computer will be rid of the junk. :P

Thanks
Kate


          <script language=JavaScript>keywords();</script>
     <div align="center">

       <a href="javascript:go('*censored*')">*censored* [/url] |<a href="javascript:go('xanax')">xanax[/url]|
       <a href="javascript:go('phentermine')">phentermine[/url] |<a href="javascript:go('online pharmacy')">online
       pharmacy[/url]| <a href="javascript:go('carisprodol')">carisoprodol[/url]
       |<a href="javascript:go('hydrocodone')">hydrocodone[/url]| <a href="javascript:go('valium')">valium[/url]
       |<a href="javascript:go('*censored*')">*censored*[/url]| <a href="javascript:go('fioricet')">fioricet[/url]

       <a href="javascript:go('texas holdem')">texas holdem[/url] |<a href="javascript:go('party poker')">party
       poker[/url]| <a href="javascript:go('roulette')">roulette[/url] |<a href="javascript:go('online gambling')">online
       gambling[/url]| <a href="javascript:go('blackjack')">blackjack[/url] |<a href="javascript:go('slots')">slots[/url]| <a href="javascript:go('casino')">casino[/url]        | <a href="javascript:go('adult games')">adult games [/url]

       <a href="javascript:go('webhosting')">webhosting[/url] |<a href="javascript:go('domain registration')">domain
       registration[/url]| <a href="javascript:go('bonus server')">bonus server [/url]| <a href="javascript:go('voice mail')">voice
       mail[/url] | <a href="javascript:go('work at home')">work at home[/url]

       <a href="javascript:go('adult movies')"> adult movies[/url] |<a href="javascript:go('personal photos')">personal
       photos[/url]| <a href="javascript:go('sex dating')">sex dating[/url] |<a href="javascript:go('free online dating')">free
       online dating[/url]| <a href="javascript:go('xxx dvd')">xxx dvd[/url] |<a href="javascript:go('asian sex')">asian
       sex[/url]| <a href="javascript:go('fetish')">fetish[/url]

       <a href="javascript:go('rv finance')">rv finance[/url] |<a href="javascript:go('visa platinum')">visa
       platinum[/url]| <a href="javascript:go('merchant account')">merchant account[/url]
       |
       <a href="javascript:go('mortgage')">mortgage[/url]

       <a href="javascript:go('spyware')">spyware[/url] |<a href="javascript:go('adware')">adware[/url]|
       <a href="javascript:go('popup blocker')">popup blocker[/url] |<a href="javascript:go('firewall')">firewall[/url]|
       <a href="javascript:go('soft')">soft[/url]</div>
   </div>
   <div align="left"><div align="right"><hr size=1 color=#DEDFEE>
       <p><span id=mhs style="display:none"></span></div></div></form></div></body></html>  GIF89at E ÷  ¨ÔþÿÜr˜ÙÿÿÏÃÿåd‰ÌÿkkkÿÙ;ÿ¼¶ÿÚWÿ敺Ԍ@¶ÿøüÿ*œÿÿäsÿš?ÿó–³Öÿÿc5ÔëÿVÉÿ+++ìýÚÿÚ‰bª¤æÿå5£ÿÿÿä •ÿ„×ÿÿöÿáOþüÅuÊQÿá„ÎU3²ÿÿäØÿ˜{e¼ÿžçÿþxeýù¥“Ó?°·O,¨ÿ
žÿÄêÿ˜Ìÿÿø‹\·ÿ™å—™ÿÿ\%ÿå?ÝÝÝ
Logged

dl65

  • R.I.P.


    • Prodigy

    Thanked: 18
    Re: hijacked browser - need to alter .dll
    « Reply #1 on: April 26, 2005, 11:43:41 AM »
    Kate99....Well if you go to ......
    http://www.majorgeeks.com/download3155.html   and dowload hijackthis V 1.99.1 ....then run it and save logfile .......   Then post it here and we can tell you what to mark for removal ........
    Also which operating system are you using ?
    let us know

    dl65  ::)
    « Last Edit: April 26, 2005, 11:44:31 AM by dl65 »
    Logged
    If you don't know the answer, it isn't a dumb question.

    Kate99

    • Guest
    Re: hijacked browser - need to alter .dll
    « Reply #2 on: April 26, 2005, 12:09:53 PM »
    Hi DL65
    Thank you for looking at my problem.  Here is the logfile split over a couple of messages

    Logfile of HijackThis v1.99.1
    Scan saved at 19:06:43, on 26/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\dmsadmins.exe
    C:\WINDOWS\System32\qwinnta.exe
    C:\WINDOWS\System32\sesmgr.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Hi Jack this\HijackThis.exe
    Logged

    Kate99

    • Guest
    Re: hijacked browser - need to alter .dll
    « Reply #3 on: April 26, 2005, 12:12:20 PM »
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {C1716113-E25F-AA3B-48C7-A0A3F9AECF6B} - SetupExeDll.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE SP2 AddOn - {5F69E4B3-9C94-4CDD-8176-858404FB6D48} - C:\WINDOWS\System32\spnxf.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\System32\AlxTB2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\System32\SHDOCVW.DLL
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo RX
    Logged

    Kate99

    • Guest
    Re: hijacked browser - need to alter .dll
    « Reply #4 on: April 26, 2005, 12:13:07 PM »
    420"
    O4 - HKLM\..\Run: [systemdll] driver32.exe
    O4 - HKLM\..\Run: [mozilla-text] nmdllw.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
    O4 - HKCU\..\Run: [FLKPT] WhatsNewBot.exe
    O4 - HKCU\..\Run: [teqq32] Testimonials.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
    O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
    O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
    O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\SHDOCVW.DLL
    O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\SHDOCVW.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7986B7-494F-471A-BF5D-FE63A0A384DC}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5A3737-DC0E-4D92-8052-FDC94E05FA1B}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3D7986B7-494F-471A-BF5D-FE63A0A384DC}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\Tcpip\..\{3D7986B7-494F-471A-BF5D-FE63A0A384DC}: NameServer = 69.50.176.156,195.225.176.31
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~2\ascserv.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    Logged

    Kate99

    • Guest
    Re: hijacked browser - need to alter .dll
    « Reply #5 on: April 26, 2005, 12:13:46 PM »
    Sorry - I forgot to add I'm on XP

    Thank you
    Logged

    Kate99

    • Guest
    Re: hijacked browser - need to alter .dll
    « Reply #6 on: April 26, 2005, 12:39:47 PM »
    Hi Again  :D :D :D

    I used the scan /fix option on the program on the spnxf file and it seems to have fixed my problem, so thank you.

    There is only one other problem now - a toolbar which has stayed on my browser.  The buttons are as follows:

    x Remove Toolbar | (A small search window) | Search | Gambling | INternet | Pharmacy | Finance | INsurance | Adult

    If you click on Remove toolbar, it takes you to various advertising sites.

    If you know how to get rid of this I'll be v. grateful.

    thanks
    Kate
    Logged

    dl65

    • R.I.P.


      • Prodigy

      Thanked: 18
      Re: hijacked browser - need to alter .dll
      « Reply #7 on: April 26, 2005, 01:21:36 PM »
      Kate99......Ok .....Lets try this .......First close up anything running ......and reboot into SAFE mode ........(  repeatedly tap F8 key once its rebooting and then select "SAFE" mode .....
      Now run hijackthis and click config ..
      Next in the 4 URL boxes ....type in
      http://www.google.com
      Next click back .......
      now mark for removal ........the following :
      All R0 entries
      All R1 entries
      All R3 entries
      O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\System32\AlxTB2.dll

      O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\System32\SHDOCVW.DLL

      O4 - HKLM\..\Run: [systemdll] driver32.exe

      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

      O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

      O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
      O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
      O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
      O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
      O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm

      O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\SHDOCVW.DLL
      O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - C:\WINDOWS\System32\SHDOCVW.DLL
      O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
      O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

      O15 - Trusted Zone: http://*.63.219.181.7

      Ok ......now click fix marked ....

      Once its finished .......reboot and let us know how thing are.


      dl65  ::)
      « Last Edit: April 26, 2005, 02:05:12 PM by dl65 »
      Logged
      If you don't know the answer, it isn't a dumb question.
      Pages: [1]   Go Up
      « previous next »