[ibroussard]

At first, the only problem was the home page getting hijacked. I could still go to any website I wanted to. Now, when I try to go to any website (except probably the one set up by the hijacker), I get...

Access blocked - Virus Warning!

The URL address for this screen is "res://xmllib.dll/HTTP_Blocked.htm"

Here's a current HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 10:27:25 AM, on 7/7/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\msdtc.exe
H:\Symantec\SYMANT~1\SYMANT~1\DefWatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\llssrv.exe
H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
H:\Symantec\SYMANT~1\SYMANT~1\Rtvscan.exe
H:\Quicken Online Backup\OLRegCap.EXE
H:\Quicken Online Backup\OLlaunch.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\explorer.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\SMSSU.EXE
E:\WINNT\System32\Tmntsrv32.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\Dfssvc.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
E:\WINNT\system32\ZONELABS\minilog.exe
H:\vision~3\paperp~1\pptd40nt.exe
E:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\WINNT\System32\DACONFIG.EXE
E:\WINNT\System32\qttask.exe
E:\WINNT\loadqm.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
H:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
H:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
H:\Visioneer\PaperPort\PPWebCap.exe
H:\SERV-U~1\Serv-U\SERVUT~1.EXE
E:\WINNT\win32res.exe
E:\WINNT\System32\SMSSU.EXE
E:\WINNT\System32\Tmntsrv32.EXE
H:\Microsoft Office\Office\FINDFAST.EXE
H:\Microsoft Office\Office\MSOFFICE.EXE
H:\Microsoft Office\Office\OSA.EXE
H:\QuickenW2K\QWDLLS.EXE
H:\WinZip 8.1\WZQKPICK.EXE
H:\Zone Labs\ZoneAlarm\zapro.exe
H:\lotus\wordpro\ltsstart.exe
H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
H:\Quicken Online Backup\OLSysTray.exe
H:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - E:\WINNT\xmllib.dll
O4 - HKLM\..\Run: [AudioHQ] h:\creative\sblive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [PaperPort PTD] h:\vision~3\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [InstantAccess] E:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [QuickTime Task] "E:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "H:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] H:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] H:\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [ServUTrayIcon] H:\SERV-U~1\Serv-U\SERVUT~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Win32res] E:\WINNT\win32res.exe
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SMSSU] E:\WINNT\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] E:\WINNT\System32\Tmntsrv32.EXE
O4 - Startup: America Online 5.0 Tray Icon.lnk = H:\AOL 5.0\America Online 5.0\aoltray.exe
O4 - Startup: Lotus QuickStart.lnk = H:\lotus\wordpro\ltsstart.exe
O4 - Startup: No-IP DUC.lnk = H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Quicken Online Backup TaskBar Icon.LNK = H:\Quicken Online Backup\OLSysTray.exe
O4 - Global Startup: Billminder.lnk = H:\QuickenW2K\BILLMIND.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = system32\spool\drivers\w32x86\2\E_SRCV03.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = H:\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = H:\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = H:\QuickenW2K\QWDLLS.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = H:\Trend Micro Anti-Spyware\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\WinZip 8.1\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = H:\Zone Labs\ZoneAlarm\zapro.exe
O13 - WWW. Prefix: http://
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O20 - Winlogon Notify: NavLogon - E:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - H:\Symantec\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - H:\Symantec\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Quicken Online Backup RegCap (OLRegCap) - Intuit Inc. - H:\Quicken Online Backup\OLRegCap.EXE
O23 - Service: Quicken Online Backup Launcher (Quicken Online BackupLauncher) - Intuit Inc. - H:\Quicken Online Backup\OLlaunch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\vsmon.exe

Thanks,
Ira

[Advertisements]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKCU\..\Run: [Win32res] E:\WINNT\win32res.exe

O4 - Startup: PowerReg SchedulerV2.exe

Download and run:
http://users.pandora...patchy/FixO.exe

After the reboot post a new HijackThis log

Regards,

[Metallica]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKCU\..\Run: [Win32res] E:\WINNT\win32res.exe

O4 - Startup: PowerReg SchedulerV2.exe

Download and run:
http://users.pandora...patchy/FixO.exe

After the reboot post a new HijackThis log

Regards,

[ibroussard]

I followed your instructions, and it looks like everything works correctly now. The only odd think I noticed is that in my IE restricted zone, I have about a dozen entries, probably all CWS-type entries...

superwp.by.ru
*.coolwebsearch.
*.coolwwwsearch.
catss.ad.ru
...etc., etc., etc.

I happened to notice these for the first time yesterday when trying to diagnose the hijacker. They are the same ones that were in the restricted zone while I was hijacked. If I tried to remove them yesterday, they would always come back. They still come back after removing them now, even though I don't seem to be hijacked any more.

Here's the latest HJT log, after following all your instructions above.

Thanks,
Ira

Logfile of HijackThis v1.99.1
Scan saved at 12:16:51 PM, on 7/7/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\msdtc.exe
H:\Symantec\SYMANT~1\SYMANT~1\DefWatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\llssrv.exe
H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
E:\WINNT\Explorer.EXE
H:\Symantec\SYMANT~1\SYMANT~1\Rtvscan.exe
H:\Quicken Online Backup\OLRegCap.EXE
H:\Quicken Online Backup\OLlaunch.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\Dfssvc.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
E:\WINNT\system32\ZONELABS\minilog.exe
H:\vision~3\paperp~1\pptd40nt.exe
E:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\WINNT\System32\DACONFIG.EXE
E:\WINNT\System32\qttask.exe
E:\WINNT\loadqm.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
H:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
H:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
H:\Visioneer\PaperPort\PPWebCap.exe
H:\SERV-U~1\Serv-U\SERVUT~1.EXE
H:\Spyware Doctor\swdoctor.exe
H:\Microsoft Office\Office\FINDFAST.EXE
H:\Microsoft Office\Office\MSOFFICE.EXE
H:\Microsoft Office\Office\OSA.EXE
H:\QuickenW2K\QWDLLS.EXE
H:\Trend Micro Anti-Spyware\Tmas.exe
H:\WinZip 8.1\WZQKPICK.EXE
H:\Zone Labs\ZoneAlarm\zapro.exe
H:\lotus\wordpro\ltsstart.exe
H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
H:\Quicken Online Backup\OLSysTray.exe
H:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [AudioHQ] h:\creative\sblive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [PaperPort PTD] h:\vision~3\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [InstantAccess] E:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [QuickTime Task] "E:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "H:\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] H:\Symantec\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] E:\PROGRA~1\TEXTBR~1\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] H:\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [ServUTrayIcon] H:\SERV-U~1\Serv-U\SERVUT~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: America Online 5.0 Tray Icon.lnk = H:\AOL 5.0\America Online 5.0\aoltray.exe
O4 - Startup: Lotus QuickStart.lnk = H:\lotus\wordpro\ltsstart.exe
O4 - Startup: No-IP DUC.lnk = H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
O4 - Startup: Quicken Online Backup TaskBar Icon.LNK = H:\Quicken Online Backup\OLSysTray.exe
O4 - Global Startup: Billminder.lnk = H:\QuickenW2K\BILLMIND.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = system32\spool\drivers\w32x86\2\E_SRCV03.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = H:\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = H:\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = H:\QuickenW2K\QWDLLS.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = H:\Trend Micro Anti-Spyware\Tmas.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\WinZip 8.1\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = H:\Zone Labs\ZoneAlarm\zapro.exe
O13 - WWW. Prefix: http://
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{51A4E744-E63E-4686-81C8-F6846140B70D}: NameServer = 151.164.11.201,151.164.1.8
O20 - Winlogon Notify: NavLogon - E:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - H:\Symantec\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - H:\No-IP Dynamic Update Client\No-IP\DUC20.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - H:\Symantec\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Quicken Online Backup RegCap (OLRegCap) - Intuit Inc. - H:\Quicken Online Backup\OLRegCap.EXE
O23 - Service: Quicken Online Backup Launcher (Quicken Online BackupLauncher) - Intuit Inc. - H:\Quicken Online Backup\OLlaunch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZONELABS\vsmon.exe

[Metallica]

Well. As long as those entries are in your Restricted zone and the settings for the restricted zone are as they should be (not allowing one thing) then I'd be happy they are in there.

Some anti-spyware application you used may have put them there.
I'm guessing Spyware Doctor

Your log is clean.

Please do have a look at my site about removing and preventing spyware.

Regards,