new hompeage hijack dbipd.dll?

Question

jhowarth 0 Newbie Poster

20 Years Ago

Hello,

I recently got infected by a homepage hijacker virus and all of my attempts to rid my pc of the virus have failed.

Description of the virus:
1. it changes the homepage of IE to res://dbipd.dll/index.html#96676
2. it launches (and relaunches) a bunch of process like sysap32.exe, addql.exe, netey.exe, addok.exe etc...
3. it launches popups with bad advertisements

What I have tried:
1. ran symantec virus scan (always have realtime protection enabled)... found nothing
2. upated and ran cwshredder... found nothing
3. upated and ran spybot... found some cookies and a dbipd.dll key entry... action taken: remove all (delete)
4. updated and ran ad aware... found some more malware... removed all
5. searched the web for ever for references to the dbipd.dll and the related processes... no luck...
6. turned off system restore... and ran virus scan again... found no viruses...

After all this the virus remains...

Is this dbipd.dll a new version of the homepage hijacker that I get the priv of being annoyed by first?

Thanks in advance for any help posted... and I promise not to use IE in the future :)

Here is my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 5:12:17 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dbipd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS\dbipd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = e:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
N1 - Netscape 4: user_pref("browser.startup.homepage", "file:///E|/Sites/ScriptTech/index.htm"); (E:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5CNetscapeSearch.src"); (E:\Documents and Settings\Jonny\Application Data\Mozilla\Profiles\default\c31r8r3a.slt\prefs.js)
O2 - BHO: (no name) - {CBB34022-85E3-83D0-516A-741DF8F48820} - E:\WINDOWS\system32\d3dn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IW Controlcenter] E:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysap32.exe] E:\WINDOWS\system32\sysap32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://12.98.84.234/TDBIN/Spider80.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37978.3928587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://powertest.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C039FE4-34CA-4784-875E-2BB299AE9AB5}: NameServer = 207.155.184.72,206.173.119.72

windows-virus

5 Contributors
15 Replies
326 Views
1 Week Discussion Span
Latest Post 20 Years Ago Latest Post by DMR

Yzk 70 Posting Whiz

20 Years Ago

Hello everybody!

I guess your excitement went to ruins huh? Well I'm here now, let's go burn some viruses! :twisted:

Try running the online anti-virus of Trend Micro Jhowarth! (Click here) and remove all viruses found.

As for Arobrien,
follow these steps:

First run Ad-aware6.0 (click here) and UPDATE accordingly with the [check for updates now] button and afterwards delete everything it finds.

Download, install and UPDATE Spybot (click here). Scan and fix all items maked in RED.

Perform an online virus scan at Trend Micro's Housecall. Remove every virus
found.

Then run Hijackthis (click here) and before scanning close all (browser) windows. After the scanning save the log (notepad will open up) and copy, paste the log in here.

Yzk 70 Posting Whiz

20 Years Ago

Yowza!
Okay Arobrien, the whole point of spy/mal/adware is to be OBNOXIOUS! But we all know that now don't we?

FOR BOTH OF YOU, Be sure that you have Hijack this in a local folder called C:\HJT\ otherwise it won't make any back ups! And your system might be RUINED!
only when you are sure that you don't use it as a program, try deleting it.
If the trend micro online scan didn't work, try Panda's online anti-virus. click here
Okay, what you want to try now is going into "Safe Mode"

Windows 98/ME Startup Menu
Restart your computer wait until you see the text "Starting Windows98" and then press F8 (you might want to press a little sooner). Once at the Windows 98 Startup Menu select the Safe Mode option and press Enter.
Windows XP/2000
When you reach the boot menu (if not, press F8 before the windows loading screen) asking you which Operating System you would like to use hit F8 and then choose Safe Mode from the menu.

Just to be sure run Ad-aware and spybot again, see if they pick something up.

Afterwards try removing these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://idfnb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\idfnb.dll/sp.html#96676

For unknown ones, that means I don't know what they are, but due to strange filenames, they might be spyware. So I'm hoping that you've put HJT in C:\HJT or it WON'T make any back ups. So be careful about removing unknown ones.

Unknown:

C:\WINDOWS\system32\crmz.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe

And after that try deleting them manually by searching. Now why you can't see them is because of the "Hidden Attribute". You can change that by going to [Extra] in the above menu, then go to folder options and then go to the [view] and click on [Show all files].

I hope that fixes it for you.

Now PMurthy,
Try doing what I've said to Arobrien as well (running in safe mode) and then try running ad-aware and spyware again. Afterwards give me another HJT log, this time with all (browser) windows closed.

crunchie 990 Most Valuable Poster

20 Years Ago

I have the same problem except that my homepage gets set to some other dll file. I tried deleteing that dll file from the windows system folder, but it made a new one with some freaking name and then I deleted that and it made a new one. This is making me nuts.
I tried every common spyware, virus scan and what not.
I tried several times the following
Updated Adaware
Updated Spybot
Virus scan from Trend micro
PestPatrol
Everytime they detect something, delete them and they reappear I don't know what is going on here.
Please give me suggestions where to go from here.
Here's my latest hijackthis log

Splitting your post out to it's own thread. Please do not piggy back other user's threads, it is too confusing to diagnose two logs in one post.

crunchie 990 Most Valuable Poster

20 Years Ago

FOLLOW-UP:
Looks like I was wrong. I'm back to the HiJacked Homepage:

Splitting you post out to it's own thread. Please do not piggy back threads, it's to confusing for all concerned. Thank you :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

arobrien 0 Newbie Poster · Answer 1 · 2004-06-15T08:29:33+00:00

Can somebody please help me post on this site? I am completely lost as to how one starts a new thread (that's why I'm posting here).

I am extremely ticked that my homepage has been 'hijacked' by:

res://ibmup.dll/index.html#96676

or

http://www.lookfor.cc/index.php?pin=96676

Now I cannot change my homepage and I have popups which I NEVER had before.

Any assistance would be appreciated.

Email: accelerant@sbcglobal.net

jhowarth 0 Newbie Poster · Answer 2 · 2004-06-15T08:58:54+00:00

i was all excited that someone was gonna address my problem...

to start a new thread click the "new thread" image on the forum page (page where you can see all of the threads)...

the answer to your problem is to probably to go thru the steps i describe in my post... however i am not familiar with that hijack... try cwshredder first..

arobrien 0 Newbie Poster · Answer 3 · 2004-06-16T01:02:18+00:00

Yzk:

Thank You for your assistance. I had used everything except Ad-Aware, and it found about 30 CWS Malware files. I deleted them and was then able to reset my homepage. I ran Spybot--it detected nothing. I ran HiJackThis, and deleted the entries that referenced the "pin" # on the malware homepage. Restarted the computer, and things seem to be a bit closer to normal, speedwise. Also, the Trend Micro DL you referred me to keeps "encountering and error and has to shutdown." I have NAV which isn't picking anything up--though it did pick up the Bloodhound.Exploit.10 Virus when I was originally spammed with this spyware, and was unable to repair it. However, it seems to have fixed something, because, like I said, it's not picking anything up at the moment. So, the only problem remaining is the "ONLY THE BEST" pop-ups I keep getting, referencing various porn sites, etc. PROPERTIES for these Pop-Ups reference something in my C Drive [followed by a bunch of %%% type codes).

At any rate, here is the log from HiJackThis (after I deleted some entries I knew were malicious):

Logfile of HijackThis v1.97.7
Scan saved at 12:00:23 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\crmz.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntvp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E15E1E91-0FD3-9AEB-0959-00933AADA0C4} - C:\WINDOWS\system32\addsv32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [crmz.exe] C:\WINDOWS\system32\crmz.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C500EF36-5C7F-4294-BA4E-09B2B64E4258}: NameServer = 64.169.140.6 206.13.28.12

Thank You again for your assistance.

Adam O'Brien

arobrien 0 Newbie Poster · Answer 4 · 2004-06-21T08:56:07+00:00

I don't know what to say--I deleted all of that, but it comes right back. There is something in the registry that keeps setting everything back. I can't get into certain websites and I can't even log into my online class. Unbelievable. If I know where the offices for these malware assholes were, I'd molotov cocktail them--NO joke.

Looks like I'm going to have to reformat, unless someone is familiar with this particular application and how to get rid of it.

Thanks,
A.

Yzk 70 Posting Whiz · Answer 5 · 2004-06-21T16:01:37+00:00

Yzk 70 Posting Whiz

20 Years Ago

Try using DLLfix and post the log here
Download from here

Edited 11 Years Ago by Dani because: Fixed formatting

Yzk 70 Posting Whiz · Answer 6 · 2004-06-21T16:47:55+00:00

Too late to edit my post but, here's the instructions:
Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2004-06-21T19:41:32+00:00

Please reboot & rescan with hijackthis. There is a manual fix for this. Make sure that you do not delete anything from the log.

arobrien 0 Newbie Poster · Answer 8 · 2004-06-22T13:40:11+00:00

Yzk -

Thanks for sticking with me here. Can you please repost the site to get the dll fix application? The other link you posted was bad.

And regarding hijackthis, I've already gome that route to no avail. I think I also deleted something related to another program on my computer, because it is corrupt and won't launch. No biggie, I'll just have to reinstall it.

Is it possible that the spyware will not let me open anti-spyware type websites?

Yzk 70 Posting Whiz · Answer 9 · 2004-06-22T15:51:36+00:00

If it is possible if spyware will not let you open anti-spyware sites? None that I know off, however Trojans do that, and viruses do it to anti-virus sites btw.

:/ the only problem is that the creator is updating it, so you'll have to wait a few days.. and HJT is the solution, it just takes awhile for spyware to pop-up sort a speak.

Follow these steps plz, besides Crunchie is my instructor, sort a speak ;)
he knows this better then me, I only try to help out a little..
Dllfix instructions
Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

HJT instructions
Originally posted by Crunchie:
Please reboot & rescan with hijackthis. There is a manual fix for this. Make sure that you do not delete anything from the log.

jhowarth 0 Newbie Poster · Answer 10 · 2004-06-22T22:31:03+00:00

well since my first post i've run trend mirco's scan... symantec's scan... updated adaware and spybot... run hijack this.... rebooted in safe mode with system restore off... and run all again...

and then i did it all again the next day... yesterday an adaware update was released... hopefully this fixed the problem...

in the end i'll just not browse w/ IE anymore...

DMR 152 Wombat At Large Team Colleague · Answer 11 · 2004-06-22T23:29:11+00:00

in the end i'll just not browse w/ IE anymore...

That will solve the majority of the problems. :)