Solved

explorer hijack by res://spdbt.dll/index.html#37049

Posted on 2004-08-06
1
277 Views
Last Modified: 2013-12-04
I run the spy bot, toolbar cop and remove several things but this page keeps showing up this is the log from hijackthis , I have try to run the antivirus from www.housecall.antivirus.com but the explorer will quit when the applet starts to download , can this be becouse of the hijacking of the explorer???

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:04:03 AM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntdk.exe
C:\WINDOWS\system32\ipxq.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32  "C:\Program Files\Common Files\submit.exe"
O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s
O9 - Extra button: AnyWho (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/CFIDE/classes/CFJava.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

I
0
Comment
Question by:oalvarado
1 Comment
 
LVL 10

Accepted Solution

by:
LRI41 earned 125 total points
ID: 11740016
Ran your Hijak This Log thorugh the "Analysis SIte:

HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english
 
and this is what it reports:

Logfile of HijackThis v1.97.7               Possibly out of date             Shows the version of HijackThis an. The newest version is: v1.98.1!             Your version (v1.97.7 ) is out of date. Visit the manufacturers homepage to update.

      C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe               Unknown             running process. (ToolbarCop.exe)             This is a unknown process

C:\WINDOWS\ntdk.exe               Unknown             running process. (ntdk.exe)             This is a unknown process.
       C:\WINDOWS\system32\ipxq.exe               Unknown             running process. (ipxq.exe)             This is a unknown process.


      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
                                           
       O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dl              Nasty             Entries found in this registry zone are potentially nasty. This application ([2E9CAFF6-30C7-4208-8807-E79D4EC6F806] - Result: 2E9CAFF6-30C7-4208-8807-E79D4EC6F806) has been checked. Hit rate: 100,00 %             Must be fixed!
       O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll               Unknown             Entries found in this registry zone are potentially nasty. This application ([5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B] - Result: ) has been checked. Hit rate: 0,00 %             Unknown application.
                                           
                                            
       O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe               Unknown             The entered application ntdk.exe was identified: None. Hit rate: 16,67 % (result)             Unknown application.
                                            
       O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common              Nasty             The entered application delsubmit was identified: delsubmit. Hit rate: 65,62 % (result)             Must be fixed!
       O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe               Unknown             The entered application ipxq.exe was identified: None. Hit rate: 8,33 % (result)             Unknown application.
       O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s               Unknown             The entered application Updater was identified: updater. Hit rate: 61,04 % (result)             Unknown application.
       O9 - Extra button: AnyWho (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'AnyWho ' is unknown.
       O9 - Extra button: Research (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'Research ' is unknown.
                                            
                                            
                                            
                                            
                                            
                                            
                                            
                                            
       O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD L              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -               Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
                                            
       O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/C              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Auto              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       Save analysis (NOTICE: Your analysis will only be saved for 5 days.)You should save this file on your hard disk drive. (right click -> save target as)

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
OfficeMate Freezes on login or does not load after login credentials are input.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now