IE Hijacked - res://exvga.dll/index.html#22776

BullGuard Antivirus Forum > Virus Removal > Removal Help > IE Hijacked - res://exvga.dll/index.html#22776

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

tfstl
New Member

Date Joined Oct 2004
Total Posts : 3

Posted 10-29-2004 5:57 (GMT +1)

My IE is hijacked - always goes back to the same home page res://exvga.dll/index.html#22776 no matter what... I tried deleting some files following a post I found here, but when I started up IE they came back again. I can't work in Safe Mode because I'm at work and it won't let me. The IT dept here is no help - they just tell me to run sypbot and ad aware which I have also done.

I appreciate any help or advice. My work entails some web apps that can only be accessed through Explorer, so it's pretty frustrating. Thank you!

Logfile of HijackThis v1.97.7
Scan saved at 11:50:44 AM, on 10/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\apikz.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\system32\mfcnf.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\HijackThis.exe
C:\Program Files\Opera75\opera.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://exvga.dll/index.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://exvga.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://exvga.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\exvga.dll/sp.html#22776
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C9252AA7-3F3F-43D0-7D46-29CF53EDCBCC} - C:\WINNT\ntng32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [mfcnf.exe] C:\WINNT\system32\mfcnf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stl.umsl.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F04DEDE-4654-4C40-BADA-5B96B93C13C9}: NameServer = 134.124.15.13,134.124.15.136
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F04DEDE-4654-4C40-BADA-5B96B93C13C9}: NameServer = 134.124.15.13,134.124.15.136
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F04DEDE-4654-4C40-BADA-5B96B93C13C9}: NameServer = 134.124.15.13,134.124.15.136

" border="0">

Post Edited (tfstl) : 11/1/2004 7:42:33 PM GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14304

Posted 11-1-2004 12:13 (GMT +1)

Hey tfstl

Why can´t you go to safe mode?

Please download AboutBuster: http://tools.zerosrealm.com/AboutBuster.zip

Just unzip to Desktop.

Adware http://www.lavasoftusa.com/support/download/

Download this scanner: http://home9.inet.tele.dk/le01/Sikkerhed.htm

mwav exe

Leave the programs.

Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Please print out the remainder of these directions, as you'll have to proceed in Safe Mode. Now, disconnect to the net.

Reboot into Safe Mode (hit F8 key until menu shows up).

Start-run, type:regedit
Find- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
check for a key called-HOMEOldsp, if present- delete it.
And if you have some files in searchpage/searchbar which end with …\sp delete them
Go to Edit in registry and type - HOMEOldsp. Click-Find Next, delete it-if present.
Use F3 for search more, if you find more- delete them.
Same procedure with-About:blank
Close Registry.

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://exvga.dll/index.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://exvga.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\exvga.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://exvga.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\exvga.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\exvga.dll/sp.html#22776

Double click the AboutBuster.exe file. Click OK, then click Start, then click OK.

This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad and save as a .txt file).

Run Adware

we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Click on the Scanning button on the left and select :
Scan within archives
Scan active processes
Scan registry
-Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
Under Select drives & folders to scan, choose:
Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
Include additional object information
Include negligible objects information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:

2. Unload recognized processes & modules during scan
Under the Cleaning Engine:Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).

Now run the Scanner, you downloaded from Microworld.
Activate all in settings

Reboot, this should be your first reboot! If you need updates: : http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en

post new log, with AboutBuster log
---------------------------------------------------------------------------

Touch

Member of - Alliance of Security Analysis Professionals

Post Edited (Touch) : 11/1/2004 11:15:00 AM GMT

tfstl
New Member

Date Joined Oct 2004
Total Posts : 3

Posted 11-1-2004 5:07 (GMT +1)

Hi Touch,

Thanks SO much for your help - my IE now works like a dream even after restarting and opening and closing it several times. :)

FYI, I was unable to use AboutBuster - when I opened it, I received a message saying "Database is missing or corrupt. Please download a new one." I tried downloading the program from a few different sites, and I received the same error each time.

But, everything else worked and now my IE works again. Thank you!!!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14304

Posted 11-1-2004 6:07 (GMT +1)

Sounds good ;-)

For safer surfing:

http://www.javacoolsoftware.com/spywareblaster.html

http://www.javacoolsoftware.com/spywareguard.html

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.unhsolutions.net/IEPK/index.shtml

My pleasure ;-)

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Wednesday, January 07, 2009 10:23 AM (GMT +1)
There are a total of 65.899 posts in 16.171 threads.
In the last 3 days there were 22 new threads and 103 reply posts. View Active Threads