XP gets redirected to http://296f8.ilxt.info/index.php?aid=632

brahmos · #1 August 10th, 2004, 07:26 AM

Hi all,

I am in a difficult problem. I gets redirected to
http://296f8.ilxt.info/index.php?aid=632 as homepage and
also when accessing mail.yahoo.com

Please help,

This is my hijack log

This log is taken with all IE closed, but not in safe mode.

thanks in advance

-manesh

Logfile of HijackThis v1.97.7
Scan saved at 3:21:10 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\manesh\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zrxmpscviwk.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_ 12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Pancake · #2 August 10th, 2004, 07:39 AM

Hi.
Download Aboutbuster:
Get About:Buster from here.. http://www.majorgeeks.com/download4289.html
Unzip it to a "Aboutbuster" folder on your Desktop.
Run About:buster.

You will need click on "update" first.

Reboot into Safe Mode
Run About:buster twice.

Then copy and paste the results from the -Buster report- window, after each scan.
Copy both scan reports back to this thread please, along with a new Hijackthis log

the rover · #3 August 12th, 2004, 08:59 AM

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632 - this is what starts the redirection you started with in your post. Check fix in hijackThis and remove.
The Yahoo toolbar is what chooses your page when you are at yahoo and elsewhere. The google toolbar chooses what it wants to give you. If you remove all the yahoo and google items and- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632 - you should have full control.

mike · #4 August 12th, 2004, 07:18 PM

Hi brahmos,

Keep Google and Yahoo toolbars if you use them.

You have a CWS hijack.
run CWShredder version 1.59.1 in SAFE MODE
http://www.downloads.subratam.org/CWShredder.exe
Open CWShredder and click on the Fix button to find and fix any problems.

After CWShredder has ran, Reboot Computer

2.

Can you please update HijackThis.
Remove older version after download, then run new version of HijackThis,exe.
The latest version is 1.98.2 .... download here:
http://www.downloads.subratam.org/hijackthis.zip
Move HijackThis.exe into its own folder..

2.
Close ALL browser Windows, only have HijackThis running.
In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" .

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zrxmpscviwk.dll

The above are CWS

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

Close HijackThis, and REBOOT .

3.
Download Ad-aware to finish cleaning up.
It is critical that you UPDATE Ad-aware, before scanning.

Ad-aware download here
and please read :
HOW TO PERFORM A FULL SYSTEM SCAN With Ad-aware 6 Build 181

Remove all that Ad-aware finds.

Reboot computer and post back a new HJT log to this thread, please.

Cheers.

Visorjon · #5 August 21st, 2004, 06:04 AM

hello all,
I am having a similar problem i am constantly redirected to http://296f8.ilxt.info/index.php?aid=632 each time taht i try to updat windows or to check any secure sites. Also quite frequently my home page is changed to http://www.windowws.cc/hp.htm?id=632

my log file reads:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\cmu\symantec\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\cmu\symantec\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\cmu\symantec\vptray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\kstatus.exe
C:\WINDOWS\system32\krbcc32s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jon\Desktop\Hjt\HijackThis.exe
C:\Program Files\cmu\mulberry\Mulberry.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\dj8jbsd138.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\RunOnce: [*untcp] C:\WINDOWS\addins\untcp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: kstatus.exe.lnk = C:\WINDOWS\system32\kstatus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O20 - AppInit_DLLs: bxsvn8kzu9ejo.tlb

I would realy appreciate any help anyone can offer on this topic for this problem has become much more than a nuisance and is impeding on my work.
Sincerely Yours,
Visor jon

Visorjon · #6 August 21st, 2004, 06:07 AM

I have tried removing these files several times only to have them come back im not quite sure what triggers their return.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632 - you should have full control

Pancake · #7 August 21st, 2004, 06:31 AM

Hi Visorjon...
In safe mode remove these items from your log and any files highlighted from your computer and then still in safe mode,run "CWshreader" Make sure to have your system set to show hidden files and folders.. Check Here

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\dj8jbsd138.dll
O4 - Global Startup: kstatus.exe.lnk = C:\WINDOWS\system32\kstatus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - AppInit_DLLs: bxsvn8kzu9ejo.tlb
C:\WINDOWS\system32\krbcc32s.exe

Remove this entry if it is not on wireless network..
O4 - HKLM\..\RunOnce: [*untcp] C:\WINDOWS\addins\untcp.exe

tb525 · #8 August 21st, 2004, 03:47 PM

There is no need to remove:
O4 - Global Startup: kstatus.exe.lnk = C:\WINDOWS\system32\kstatus.exe
C:\WINDOWS\system32\krbcc32s.exe

If you installed Kerberos for Windows (network authentication).

http://web.mit.edu/kerberos/www/

Visorjon · #9 August 21st, 2004, 03:52 PM

yup it worked thanks dude

cathybilly · #10 August 25th, 2004, 01:53 AM

Wrong thread