Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

xlkbn.dll

Started by aznmudvayne06 , Jul 26 2004 08:46 PM

  • Please log in to reply

#1
aznmudvayne06
Posted 26 July 2004 - 08:46 PM

aznmudvayne06

    New Member

  • Member
  • Pip
  • 2 posts
So I've been scanning repeatedly, and it won't go away. This is a nasty hijack--puts TV Media on the comp every time I reboot.

So I put a little HTML shortcut on my desktop... is currently keeping the problem solved, but it's slowing my IE down.

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:25:54 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\DefWatch.exe
C:\LDCLIENT\LOCALSCH.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\LDCLIENT\TMCSVC.EXE
C:\Program Files\Net Nanny\NNSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Net Nanny\nntray.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\sysxm.exe
C:\WINDOWS\sdkyv32.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Eugene\Spyscan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xlkbn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C7F8F9B4-5233-5460-C2DB-34313EC35B32} - C:\WINDOWS\sdkax32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\NNTray.exe /autorun
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
O4 - HKLM\..\RunOnce: [mfclq.exe] C:\WINDOWS\mfclq.exe
O4 - HKLM\..\RunOnce: [sdkyv32.exe] C:\WINDOWS\sdkyv32.exe
O4 - HKLM\..\RunOnce: [ieqt32.exe] C:\WINDOWS\system32\ieqt32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} - http://download.macr...are/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {3E9B39EF-5BBD-C23B-CC66-F1DE3B25B22B} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://hanabank.co.k...INIplugin40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mayo.edu
O17 - HKLM\Software\..\Telephony: DomainName = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D83E26-BA75-4BB3-B0CD-209D2870AA27}: NameServer = 129.176.199.5,129.176.100.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F40F62-B92F-4F59-9DBA-8130C21C6053}: NameServer = 129.176.199.5,129.176.100.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: Domain = mayo.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{C32FF779-3B67-4F96-95FF-3F3CAAA115E1}: NameServer = 129.176.171.5,129.176.199.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mayo.edu

Meh. This is relaly annoying.. I've even tried the safe mode thing to delete the TV Media, but the home page hijack is still there. I've removed the BHO that causes this numerous times with Spybot, and I've scanned with the custom options in Adaware...

I've decided that whoever wrote the code for this is gonna get a swift kick in the arse if I ever find them.

Thanks.
  • 0

Advertisements

#2
admin
Posted 27 July 2004 - 08:31 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xlkbn.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xlkbn.dll/index.html#96676
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xlkbn.dll/sp.html#96676
O2 - BHO: (no name) - {C7F8F9B4-5233-5460-C2DB-34313EC35B32} - C:\WINDOWS\sdkax32.dll
O4 - HKLM\..\Run: [sysxm.exe] C:\WINDOWS\system32\sysxm.exe
O4 - HKLM\..\RunOnce: [mfclq.exe] C:\WINDOWS\mfclq.exe
O4 - HKLM\..\RunOnce: [sdkyv32.exe] C:\WINDOWS\sdkyv32.exe
O4 - HKLM\..\RunOnce: [ieqt32.exe] C:\WINDOWS\system32\ieqt32.exe
O16 - DPF: {3E9B39EF-5BBD-C23B-CC66-F1DE3B25B22B} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6AD92401-CE2D-452B-AA63-1291D60EC2D2} (AxINIplugin40 Control) - http://hanabank.co.k...INIplugin40.cab

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\sdkax32.dll
C:\WINDOWS\system32\sysxm.exe
C:\WINDOWS\mfclq.exe
C:\WINDOWS\sdkyv32.exe
C:\WINDOWS\system32\ieqt32.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP