Jump to content
Compatible Support Forums
Sign in to follow this  
Ali

Browser Hijack Nightmare!! HELP!!!

Recommended Posts

Last night I installed Windows XP SP2 (Beta) and Windows Media Player 10 just to see how they work. Guess what, as soon as i finish checking things out (the firewall settings, etc.) the internet explorer ended up with two spyware. One i could remove (MySearchBar) and the other one i'm stock with and i can't figure out how to remove it.

 

I have uninstalled SP2 since I kept getting spywares from any site i visited!!! or it seemed like it. got rid of SP2 and it's all back to normal.

 

it changes my homepage to about:blank, but there is "Search for..." page as my hompage, few suspecious items are added in favorites, and NOTHING PICKS THE DAMN THING UP! ;(

I used Adaware and spybot, and "Spyware Nuker"(??) which picked it up as Slotch XXX Toolbar, but it is not correct because my computer does not contain non of the components they mention in the removal instructions for that "thing". (there is no actual TOOLBAR, Nothing in add/remove programs, and the reg. keys they mention don't match, and there is no tinybar.exe anywhere on any of my HDDs).

 

If i get my hands on the basturds who make such pains i'll choke them to death!!! they dont even dare to put a contact link or company name, or copyright, or anything in there. Basturds. ;(

 

 

Please somebody help!!!!!!!

Share this post


Link to post

A browser helper object (BHO) does not always appear as a toolbar but does get invoked whenever you bring up IE or those browsers that use IE components.

 

Download BHODemon2.0 (it's free) and it will tell you what BHO's exist (and you can disable them). It will also tell you if something is changing your homepage or writing a value in your registry.

 

Spywareguard (also free) also protects your homepage.

 

SpywareBlaster (also free) will load dozens of sites known to infect systems and keep them from running.

 

Finally, PestPatrol (not free but reasonable) will do a better job than most in finding pests, spyware, and the like. It runs in memory after installed and will alert you if something is being installed.

 

Spyware Stopper is "free" until you need to update virus definitions. You get one free update, then you will have to pay a yearly subscription.

Share this post


Link to post

WOW, it picked it up!!! it worked!!!

 

Thank you very much for your help.

I had disabled system restore, BHODemon 2.0 found gfmhaab.dll, which I deleted in safe mode and the program also gave me the registery location (deleted that too) and it's gone!!!!! laugh everything is working so far!!!

 

Thank you very much for your reply, I was so close to giving up and reformatting the hard drive. wink

 

got to find out who wrote that annoying piece BHO that gave me tons of headaches!!!! If i get my hand on the producer of that thing i'll break my foot kicking him so hard in his.... shocked nevermind.

Share this post


Link to post

is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad.

Share this post


Link to post

Hi guys. me again!!!! I have removed this BHO crap and the system works good for about 4~5 hrs and then the same thing happens again. now, the dll file name and the registery value keep changing, but the same site comes up!!!! how the hell do they do that?

 

this all started happening after i installed SP2 (of course i have removed it now!!!), but this is the only computer i have this problem with. now the name of the file is phanaa.dll and in the registery: Clsid {3019DB0B-E808-45A0-9D2E-F44A4586EF4F}

 

I'm thinking there might be a flaw in the security for IE that has happened after installing SP2. Or there might be other things on the computer that make this happen again and again?

 

any suggestions?

Thank you

Share this post


Link to post

Program BHOList.exe comes from Merijn Bellekom, the developer of Startuplist and Hijack This! It downloads and displays the BHO Collection in a searchable & sortable list. It will contain the name of some nasties which may have set off your virus scan, ali, but I doubt that it actually contains any trojans. I use both AVG 7.0 and EZTrust and neither gave me an indication of a problem.

 

Share this post


Link to post

I only use Norton Antivirus 2003 with the latest definitions.

 

Now the problem is worse than i thought!!! It keeps coming back because (I think) Microsoft SP2 has removed the security updates that were provided after SP1!!!!! they are still showing in add remove programs, and when i go to windows update website it tells me no ubdates are available!!! BUT WHEN BLASTER WORM IS SHUTTING DOWN MY SYSTEM and all of a sudden for the first time in my life i'm flooded with BHO's, i'm convinced that after installing SP2 something had gone wrong with all the fix patches that were installed before!!!!

 

 

I'm trying to remove the viruses in safe mode and install the updates manually, to see what happens. if it didn't work, i'll just wipe it clean and start from scratch!!!!

 

I won't install SP2 after it comes out untill they fix all this crap!!!!

Share this post


Link to post

thank you guys for all your replies. you guys are the best.

 

Funny!!! I just got the RPC thing that shuts down the system and guess what!!! I got removal tools from Norton, it's not Blaster, not sasser, not Welchina (these guys are not foun on the system!!!) what else does that?

I'm running full system scan using Norton and it is not picking up anything at all (running it in safemode)!!!

 

this just proves how useless antyvirus software are when there is actually a virus in the system!!! They don't do nothing! ;(

 

what other worm/torjan/virus gives you that RPC message?

 

 

\I'm thinking the entire computer business is so fragile with all the software problems. Linux is difficult to use (and i'm still strogling to learn the basics) and Windows is insecure! What should be done about this! This is not a question of tast or personal preference, but a question of survival of human race untill we wipe ourselves off the face of the planet with a piece of computer code!!!! laugh (you can tell i'm going nuts!!!)

Share this post


Link to post

Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=Go

You asked what other ones give this "RPC" message? Here are ten to start with

1. PestPatrol Pest Info - Exploit.Win32.DCom.e

http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp

size 11068 bytes - 6/24/2004 4:07:03 PM GMT

2. PestPatrol Pest Info - Rpc-cmsd.c

http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp

size 10138 bytes - 6/21/2004 8:00:51 PM GMT

3. PestPatrol Pest Info - RPC portmapper set/unset

http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp

size 10895 bytes - 6/21/2004 8:01:03 PM GMT

4. PestPatrol Pest Info - Rpc Bind 1.1

http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp

size 13136 bytes - 6/21/2004 8:00:54 PM GMT

5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner

http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp

size 10740 bytes - 6/21/2004 8:02:45 PM GMT

6. PestPatrol Pest Info - RPC Program Scanner

http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp

size 10091 bytes - 6/21/2004 8:01:04 PM GMT

7. PestPatrol Pest Info - Rpc scanner by console

http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp

size 10496 bytes - 6/21/2004 8:01:04 PM GMT

8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only)

http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp

size 10864 bytes - 6/21/2004 7:48:28 PM GMT

9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner

http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp

size 10735 bytes - 6/21/2004 7:48:41 PM GMT

10. PestPatrol Pest Info - Unknown Flooder

http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp

size 16544 bytes - 6/21/2004 9:07:42 PM GMT

 

Share this post


Link to post

Oh man, you said there were no information on that thing about a year ago!!! there is no information about anything named W32Parity on norton, and mcafee website. they must be using another name for it or something.

I searched google, and guess what i found: http://www.ntcompatible.com/thread27230-1.html

and that is the only result.

 

PestPatrol worked, and BHODemon could help me to remove my 4th BHO and everything looks fine, but i know the thing is still in there, because when i type about:blank in IE, or type any invalid URL, that "search for..." site comes up. no sign of that RPC thing!!! it just desapeared, just like that, like it never existed!!!!

 

now what? wait and see if there are more problems? howcome it's working for few hrs and then everything goes upside down? is there a time trigger or something?

 

It all started after installing SP2! iwas so stupid, you know when they say if it ain't broke don't fix it!!! that is my problem!!! frown

 

is there any way i could fix that blank page problem tho? where should i look to see what defines the "blank" page in windows?

 

APK I'm not using kazaa or anything like that (if you remember AlecStaar a long time ago i had issues with my clients who used kazaa!! and i talked to my work place managers and the owner cause you said you could create a code that could remove kazaa or block it or something, i can't remember. but the owner of the business (after a while running after him) finally told me that i'm over reacting, and they cannot go with that plan. Now they are charging people $149 if any trace of any p2p software is found on their system before they even consider looking at any software (so much for me over-reacting).

 

 

Alec you are one of the most helpful people on this forum and one of the most knowledgable ones. I really appreciate all your help. wink

Share this post


Link to post

Originally posted by sp4rk911:

Quote:
is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad.

 

Thanks for the reply man, but don't come to my service department cause i hate spyware so much now!!! laugh

 

Share this post


Link to post

Originally posted by Sampson:

Quote:
Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=Go

You asked what other ones give this "RPC" message? Here are ten to start with

1. PestPatrol Pest Info - Exploit.Win32.DCom.e

http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp

size 11068 bytes - 6/24/2004 4:07:03 PM GMT

2. PestPatrol Pest Info - Rpc-cmsd.c

http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp

size 10138 bytes - 6/21/2004 8:00:51 PM GMT

3. PestPatrol Pest Info - RPC portmapper set/unset

http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp

size 10895 bytes - 6/21/2004 8:01:03 PM GMT

4. PestPatrol Pest Info - Rpc Bind 1.1

http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp

size 13136 bytes - 6/21/2004 8:00:54 PM GMT

5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner

http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp

size 10740 bytes - 6/21/2004 8:02:45 PM GMT

6. PestPatrol Pest Info - RPC Program Scanner

http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp

size 10091 bytes - 6/21/2004 8:01:04 PM GMT

7. PestPatrol Pest Info - Rpc scanner by console

http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp

size 10496 bytes - 6/21/2004 8:01:04 PM GMT

8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only)

http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp

size 10864 bytes - 6/21/2004 7:48:28 PM GMT

9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner

http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp

size 10735 bytes - 6/21/2004 7:48:41 PM GMT

10. PestPatrol Pest Info - Unknown Flooder

http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp

size 16544 bytes - 6/21/2004 9:07:42 PM GMT

that's gonna take me a while getting to all of them. I'm getiing on them now, thank you!

 

Edit: all of them seem to be picked up by Pestpatro and non of them turned up in the scans. this was a great help thou, i put this post somewhere else on this forum where they had the RPC issue when connecting to ISP (if you don't mind). this may help him too.

 

Thank you very much Sampson. smile

Share this post


Link to post

Originally posted by AlecStaar:

 

Thanks, but I forget things & the spelling was wrong above: it's "W32Parite" (my nephew had to remind me by phone & I am @ fault on both threads, because it is spelt this way, not the way I spelled it above).

 

P.S.=> My nephew got it from Kazaa use & another user putting out infected files on it, & W32Parite did one "good" thing: Cured him of filesharing programs! apk

 

 

BINGO:

Quote:

W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares.

 

Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [sophos], Win32/Parite.A [RAV]

 

Type: Virus

Infection Length: ~177,917 bytes

 

 

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Systems Not Affected: Macintosh, OS/2, UNIX, Linux

 

and here is a look at the solution:

Quote:

1.Disable System Restore (Windows Me/XP). (have done it)

2.Update the virus definitions. (done that)

3.Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT). (done that)

4.mun a full system scan and repair all the files detected as W32.Pinfi. (there is non)

5.Reverse the value that the virus added to the registry. (it's not there!)

 

the good news is this is not it!!! cause the registery item they mention is not there! the bad news is that i'm still lost and have no idea what's going on!!! laugh

 

 

Quote:
quoted text

Share this post


Link to post

HEY I FOUND THE BASTURD!!!

 

I found the URL for the site where all my problems are coming from (with some tracing stuff) and my DNS provider gave me the Whois information for the guy!!! what is the best way of punishing the ass****? he has got to learn to earn his money by hard work not by stealing on the internet!!! and spreading the stuff all over my computer!!!!

 

here is the domain name if you want to look it up:

D8T.BIZ

and he uses lots of submasks and stuff!!!

It looks like he has provided a faulse phone number and his name doesn't sound right. And to top that off, he is giving out his Yahoo mail!

 

could i give his info to FBI or something? Any suggestion on how i could have revenge on this guy laugh ?

And look at this:

>>>> Whois database was last updated on: Fri Jun 25 06:21:43 GMT 2004 <<<<

Share this post


Link to post

Norton is not capable of finding the culprits in your system.

 

Download a good AV program (Kaspersky 5.0 trial version www.kaspersky.com)

Run the updates, scan your pc, it WILL find the trojans on your HDD.

 

Next: Download SpyBot Search and Destroy:

http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

 

Run the updates, scan your HDD, it will remove the registry entries.

 

I had the same issues going on, the above cleared it up & kept me from formatting.

 

JR

Share this post


Link to post

Non oif it worked, it's still there and its installing crap on my computer every 2~3hrs. The guy surely receives the emails, but no responce.

 

I'm formatting the computer to reinstall windows, but the cheap 56x CDROM is acting up in the middle of installation *it stops functioning when it gets worm)!!! Just to make my life more miserable!!! thank god i always have at least two copies of my important files. Got to buy a new CD drive for the computer! It's just that at this time i'm totally broke (planning to get a DVDRW drive, but if the CD dies now, i could only replace it with another cheap one!!!) they say worse things happen at the worse time!!! laugh

 

wish me luck, since this is the 3rd time i'm formatting my primary Raid partition to get windows installed!!!

 

and thank you for all your help, can't do without your help.

Share this post


Link to post

smile I found the answer! (or at least it works for now...) The pop-up come up saying "you might be infected by spyware........." I downloaded BHODeamon it showed this:

 

{F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166}

C:\WINDOWS\System32\jbafagd.dll

 

What I did, was go to registry (regedit if someone does not know) and deleted all entrys containing "jbafagd.dll" and "{F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166}" and also deleted the file. The problem was solved. If you decide to do it, DO IT AT YOUR OWN RISK.

Share this post


Link to post

Hi Ali,

 

I know I haven't contributed to this thread, although everything has pretty much been said. But, I have just seen this http://www.majorgeeks.com/download4281.html on the front-page which looks pretty cool (I aint tried it yet, as I am at work, and I can't reg it (it must use another port apart from 8080)).

I will try it when I get home. Anyways, just thought you might aswell give it a try too.

 

GL

 

Share this post


Link to post

I have the same browser problem only mine started as "mukeh.dll" and kept changing to some weird stuff. I tried to go to the registry and deleting the keys but after 15 or so minutes it just comes back, which leads me to believe a program (hidden of course) is installing it.I have run ad-aware, spybot, avg antivirus, panda, nortons none pick it up and i think is it a very well executed pain in the a..... funny enough i have picked through my whole system32 folder (cause one antivirus program told me that was where it was)file by painstaking file and found only one program called "loader" I deleted it, rebooted and..........."PRESTO" there was old faithful "mukeh.dll" running my sh....... So Ali i feel you bro thought i knew a little sumptin sumptin about computers but this one almost has me tossing it out the window.

 

peace y'all and God Bless whoever comes up with the answer

Share this post


Link to post

I was having similar problems on a work computer and a found a file called "jushed32.exe" or similar. I stopped it and renamed it and since then, no more problems.

 

I have a simplem rule regarding programs:

 

"If there's no Author's information etc on the .exe when I right click on the file, it gets shut down and deleted. If they don't have the integrity to put their name on it, blow it away.

Share this post


Link to post

Good rule. You might also check to see if it deleted the program: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

That file is part of the Bizten family of Trojans. It also plays fast and furious with IE's toolbars so you might also want to check the following Registry keys:

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar

HKLM\Software\Microsoft\Internet Explorer\Main\Start Page

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page

HKLM\Software\Microsoft\Internet Explorer\Main\SearchURL

HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

HKLM\Software\Microsoft\Internet Explorer\TypedURLs\url1

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page

HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×