The Virus/Spyware that wouldn't die... help

[SithSolo1]

Ok, yesterday my brother found a little surprise when he started up IE. Instead of his usually homepage he got this. Then he got another surprise. Whenever he tried to change the homepage it would go back to that screen. Also when he closed IE or tried to go to another site he would get a full screen of virgin-teens.com chock full of all kinds of neat lil images. :roll: Anyway so here is what I have tried so far and without success of removing this bastard:


Full windows update
Disabled system restore
Removed all temp and temp internet files including the hidden IE folders
Spybot Search & Destroy
Ad-Aware
Highjackthis!
SpywareBlaster
AVG Anti-Virus
Norton Anti-Virus (It does detect a Bloodhound.Exploit.10 everytime that pr0n site pops up but thus far i have been unable to block it)

All of the above software was up to date and run in both standard and safe mode.

He has Windows XP Pro w/ SP1 and all crit updates that I know of.

Any help would be great but I'm not in too much of a hurry because right now I have him running firefox. I also can't get to any search engine in firefox.

Thank You,
J

 

[AtTheGates]

Post the hijackthis log or try the other things listed here.

 

[SithSolo1]

Logfile of HijackThis v1.98.0
Scan saved at 2:43:23 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Shared Stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O21 - SSODL: System - {F1CAE94B-E4C8-45FC-A58B-8F5565EF48F2} - C:\WINDOWS\system32\system32.dll

 

[AtTheGates]

System32.dll is spyware. They picked that name to make it sound important but there is not a real dll by that name. You can try this. Remove it manually only after trying the other programs in the spyware faq and making sure everyting is up to date.

Edit: Google system32.dll secure.html. I found many forum topics on this problem and most had more detailed answers than the one I posted.

 

[SithSolo1]

Well I did what that page said and it killed the pr0n pop-up so that's good.

But....I still get the blue screen of suck whenever I try to go to a search engine in IE and Firefox. All other websites work, just not search engines.

 

[AtTheGates]

Well, a second look through the log revealed another one. The explorer.exe in System32 is also fake. The real version is in Windows.

 

[mechBgon]

With the speed at which WinXP sets up on a recent system, maybe you should just do a reformat/reinstallation of Windows. I strongly suggest that you make your little brother his own Restricted User account and make him use it. Set your own account to lock the screensaver at 10 minutes idle time or something, so he can't jump on your session, or make yourself a Restricted User account too. No one else uses my home computer, and *I* use a RU account for daily-driver stuff.

Besides that, obviously you already know to load up on preventive measures like antivirus software and enabling Windows Automatic Updates. Make sure your antivirus software is set to kill on sight, no questions asked :evil: Spybot S&D 1.3 has some additional protective features and can make a backup copy of the Windows registry so it has something to restore from if it does get messed up.

 

[cressida]

Hello Sith,

Try this virus scan online: http://housecall.trendmicro.com/ - Clean anything that comes up
Also you need to use the peper trojan http://downloads.subratam.org/PeperFix.exe

REBOOT - Then turn off system restore
Then run spybot again with updates and adaware -
Spybot:
Install then Run Spybot ALWAYS use the search for update button when you first open Spybot. Let Spybot download and install any updates it finds..Now you are ready to click the Check for problems button. Let Spybot fix any entries marked in RED

Adaware:
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan. Do a scan on AdAware and Remove Everything it suggests.

Now for deep cleaning:

1. Before you do that - make a folder in the C:\HJT\HijackThis.exe and make sure you have the backup option selected.
(Config button the right) - Just incase we make a mistake
2. ****NOTE quite a few of the entries below may well no longer be there; thanks to our use of Spybot & AdAware
3. Remove these entries if they are still there

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab

REBOOT - and post a new log here and try to surf and see if the thing still comes up.

 

[SithSolo1]

Sorry it toook so long for me to get back to you guys. I went to a keg party and got a lil more intoxicated than I had planned. Anyway I had fixed the problem before I left. I dl'ed and ran CQWShredder and it found and killed some file so I tried IE again and everything was back to normal. Anyway, I'd just like to thank everyone for their helpful insights that finally led to my fixing of this problem.