Solved

explorer hijack by res://spdbt.dll/index.html#37049

Posted on 2004-08-06
1
281 Views
Last Modified: 2013-12-04
I run the spy bot, toolbar cop and remove several things but this page keeps showing up this is the log from hijackthis , I have try to run the antivirus from www.housecall.antivirus.com but the explorer will quit when the applet starts to download , can this be becouse of the hijacking of the explorer???

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:04:03 AM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntdk.exe
C:\WINDOWS\system32\ipxq.exe
C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32  "C:\Program Files\Common Files\submit.exe"
O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe
O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s
O9 - Extra button: AnyWho (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/CFIDE/classes/CFJava.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

I
0
Comment
Question by:oalvarado
1 Comment
 
LVL 10

Accepted Solution

by:
LRI41 earned 125 total points
ID: 11740016
Ran your Hijak This Log thorugh the "Analysis SIte:

HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english
 
and this is what it reports:

Logfile of HijackThis v1.97.7               Possibly out of date             Shows the version of HijackThis an. The newest version is: v1.98.1!             Your version (v1.97.7 ) is out of date. Visit the manufacturers homepage to update.

      C:\Documents and Settings\Administrator.CECDOMAIN01\Desktop\ToolbarCop.exe               Unknown             running process. (ToolbarCop.exe)             This is a unknown process

C:\WINDOWS\ntdk.exe               Unknown             running process. (ntdk.exe)             This is a unknown process.
       C:\WINDOWS\system32\ipxq.exe               Unknown             running process. (ipxq.exe)             This is a unknown process.


      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://spdbt.dll/index.html#37049               Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\spdbt.dll/sp.html#              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spdbt.dll/sp.html              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://spdbt.dll/index.html#37              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\spdbt.dll/              Nasty             Entries with this kind of homepages should always be fixed.             This entry should be fixed by HijackThis!
       R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spdbt.dll/s              Nasty             This entry should be fixed by HijackThis!             This entry should be fixed by HijackThis!
                                           
       O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dl              Nasty             Entries found in this registry zone are potentially nasty. This application ([2E9CAFF6-30C7-4208-8807-E79D4EC6F806] - Result: 2E9CAFF6-30C7-4208-8807-E79D4EC6F806) has been checked. Hit rate: 100,00 %             Must be fixed!
       O2 - BHO: (no name) - {5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B} - C:\WINDOWS\system32\msvh32.dll               Unknown             Entries found in this registry zone are potentially nasty. This application ([5DCD2B4E-94CD-BAC9-A2ED-1738BBFD853B] - Result: ) has been checked. Hit rate: 0,00 %             Unknown application.
                                           
                                            
       O4 - HKLM\..\Run: [ntdk.exe] C:\WINDOWS\ntdk.exe               Unknown             The entered application ntdk.exe was identified: None. Hit rate: 16,67 % (result)             Unknown application.
                                            
       O4 - HKLM\..\RunOnce: [delsubmit] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Common              Nasty             The entered application delsubmit was identified: delsubmit. Hit rate: 65,62 % (result)             Must be fixed!
       O4 - HKLM\..\RunOnce: [ipxq.exe] C:\WINDOWS\system32\ipxq.exe               Unknown             The entered application ipxq.exe was identified: None. Hit rate: 8,33 % (result)             Unknown application.
       O4 - HKCU\..\RunOnce: [Updater] rundll32 C:\WINDOWS\msku\msku.dll,UpdateDll s               Unknown             The entered application Updater was identified: updater. Hit rate: 61,04 % (result)             Unknown application.
       O9 - Extra button: AnyWho (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'AnyWho ' is unknown.
       O9 - Extra button: Research (HKLM)               Possibly nasty             Unknown buttons or entries in the 'Extras'-menu should be fixed.             To be fixed if the entry 'Research ' is unknown.
                                            
                                            
                                            
                                            
                                            
                                            
                                            
                                            
       O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD L              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -               Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
                                            
       O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://source.invensysibs.com/C              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Auto              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       Save analysis (NOTICE: Your analysis will only be saved for 5 days.)You should save this file on your hard disk drive. (right click -> save target as)

0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question