Solved

explorer hijack by res://spdbt.dll/index.html#37049

Posted on 2004-08-06
1
280 Views
Last Modified: 2013-12-04
I run the spy bot, toolbar cop and remove several things but this page keeps showing up this is the log from hijackthis , I have try to run the antivirus from www.housecall.antivirus.com but the explorer will quit when the applet starts to download , can this be becouse of the hijacking of the explorer???

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:04:03 AM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntdk.exe
C:\WINDOWS\system32\ipxq.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32  "C:\Program Files\Common Files\submit.exe"
O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s
O9 - Extra button: AnyWho (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/CFIDE/classes/CFJava.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

I
0
Comment
Question by:oalvarado
1 Comment
 
LVL 10

Accepted Solution

by:
LRI41 earned 125 total points
ID: 11740016
Ran your Hijak This Log thorugh the "Analysis SIte:

HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english
 
and this is what it reports:

Logfile of HijackThis v1.97.7               Possibly out of date             Shows the version of HijackThis an. The newest version is: v1.98.1!             Your version (v1.97.7 ) is out of date. Visit the manufacturers homepage to update.

      C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe               Unknown             running process. (ToolbarCop.exe)             This is a unknown process

C:\WINDOWS\ntdk.exe               Unknown             running process. (ntdk.exe)             This is a unknown process.
       C:\WINDOWS\system32\ipxq.exe               Unknown             running process. (ipxq.exe)             This is a unknown process.


      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
                                           
       O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dl              Nasty             Entries found in this registry zone are potentially nasty. This application ([2E9CAFF6-30C7-4208-8807-E79D4EC6F806] - Result: 2E9CAFF6-30C7-4208-8807-E79D4EC6F806) has been checked. Hit rate: 100,00 %             Must be fixed!
       O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll               Unknown             Entries found in this registry zone are potentially nasty. This application ([5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B] - Result: ) has been checked. Hit rate: 0,00 %             Unknown application.
                                           
                                            
       O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe               Unknown             The entered application ntdk.exe was identified: None. Hit rate: 16,67 % (result)             Unknown application.
                                            
       O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common              Nasty             The entered application delsubmit was identified: delsubmit. Hit rate: 65,62 % (result)             Must be fixed!
       O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe               Unknown             The entered application ipxq.exe was identified: None. Hit rate: 8,33 % (result)             Unknown application.
       O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s               Unknown             The entered application Updater was identified: updater. Hit rate: 61,04 % (result)             Unknown application.
       O9 - Extra button: AnyWho (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'AnyWho ' is unknown.
       O9 - Extra button: Research (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'Research ' is unknown.
                                            
                                            
                                            
                                            
                                            
                                            
                                            
                                            
       O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD L              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -               Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
                                            
       O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/C              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Auto              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       Save analysis (NOTICE: Your analysis will only be saved for 5 days.)You should save this file on your hard disk drive. (right click -> save target as)

0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now