Browser Hijack Nightmare!! HELP!!!

Last night I installed Windows XP SP2 (Beta) and Windows Media Player 10 just to see how they work. Guess what, as soon as i finish checking things out (the firewall settings, etc. ) the internet explorer ended up with two spyware.

Windows Software 5498 This topic was started by ,


data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
Last night I installed Windows XP SP2 (Beta) and Windows Media Player 10 just to see how they work. Guess what, as soon as i finish checking things out (the firewall settings, etc.) the internet explorer ended up with two spyware. One i could remove (MySearchBar) and the other one i'm stock with and i can't figure out how to remove it.
 
I have uninstalled SP2 since I kept getting spywares from any site i visited!!! or it seemed like it. got rid of SP2 and it's all back to normal.
 
it changes my homepage to about:blank, but there is "Search for..." page as my hompage, few suspecious items are added in favorites, and NOTHING PICKS THE DAMN THING UP! ;(
I used Adaware and spybot, and "Spyware Nuker"(??) which picked it up as Slotch XXX Toolbar, but it is not correct because my computer does not contain non of the components they mention in the removal instructions for that "thing". (there is no actual TOOLBAR, Nothing in add/remove programs, and the reg. keys they mention don't match, and there is no tinybar.exe anywhere on any of my HDDs).
 
If i get my hands on the basturds who make such pains i'll choke them to death!!! they dont even dare to put a contact link or company name, or copyright, or anything in there. Basturds. ;(
 
 
Please somebody help!!!!!!!

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar39.webp

1457 Posts
Location -
Joined 2001-12-18
A browser helper object (BHO) does not always appear as a toolbar but does get invoked whenever you bring up IE or those browsers that use IE components.
 
Download BHODemon2.0 (it's free) and it will tell you what BHO's exist (and you can disable them). It will also tell you if something is changing your homepage or writing a value in your registry.
 
Spywareguard (also free) also protects your homepage.
 
SpywareBlaster (also free) will load dozens of sites known to infect systems and keep them from running.
 
Finally, PestPatrol (not free but reasonable) will do a better job than most in finding pests, spyware, and the like. It runs in memory after installed and will alert you if something is being installed.
 
Spyware Stopper is "free" until you need to update virus definitions. You get one free update, then you will have to pay a yearly subscription.

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
WOW, it picked it up!!! it worked!!!
 
Thank you very much for your help.
I had disabled system restore, BHODemon 2.0 found gfmhaab.dll, which I deleted in safe mode and the program also gave me the registery location (deleted that too) and it's gone!!!!! everything is working so far!!!
 
Thank you very much for your reply, I was so close to giving up and reformatting the hard drive.
 
got to find out who wrote that annoying piece BHO that gave me tons of headaches!!!! If i get my hand on the producer of that thing i'll break my foot kicking him so hard in his.... nevermind.

data/avatar/default/avatar11.webp

14 Posts
Location -
Joined 2004-06-18
is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad.

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Hi guys. me again!!!! I have removed this BHO crap and the system works good for about 4~5 hrs and then the same thing happens again. now, the dll file name and the registery value keep changing, but the same site comes up!!!! how the hell do they do that?
 
this all started happening after i installed SP2 (of course i have removed it now!!!), but this is the only computer i have this problem with. now the name of the file is phanaa.dll and in the registery: Clsid {3019DB0B-E808-45A0-9D2E-F44A4586EF4F}
 
I'm thinking there might be a flaw in the security for IE that has happened after installing SP2. Or there might be other things on the computer that make this happen again and again?
 
any suggestions?
Thank you

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Originally posted by Sampson:

Quote:There used to be a BHO page with all of the info on these things. Apparently there is now a program: http://www.spywareinfo.com/~merijn/files/bholist.zip 
This download contains a torjan called Torjan.StartPage. be careful with this file!!!! ;(

data/avatar/default/avatar39.webp

1457 Posts
Location -
Joined 2001-12-18
Program BHOList.exe comes from Merijn Bellekom, the developer of Startuplist and Hijack This! It downloads and displays the BHO Collection in a searchable & sortable list. It will contain the name of some nasties which may have set off your virus scan, ali, but I doubt that it actually contains any trojans. I use both AVG 7.0 and EZTrust and neither gave me an indication of a problem.
 

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
I only use Norton Antivirus 2003 with the latest definitions.
 
Now the problem is worse than i thought!!! It keeps coming back because (I think) Microsoft SP2 has removed the security updates that were provided after SP1!!!!! they are still showing in add remove programs, and when i go to windows update website it tells me no ubdates are available!!! BUT WHEN BLASTER WORM IS SHUTTING DOWN MY SYSTEM and all of a sudden for the first time in my life i'm flooded with BHO's, i'm convinced that after installing SP2 something had gone wrong with all the fix patches that were installed before!!!!
 
 
I'm trying to remove the viruses in safe mode and install the updates manually, to see what happens. if it didn't work, i'll just wipe it clean and start from scratch!!!!
 
I won't install SP2 after it comes out untill they fix all this crap!!!!

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
thank you guys for all your replies. you guys are the best.
 
Funny!!! I just got the RPC thing that shuts down the system and guess what!!! I got removal tools from Norton, it's not Blaster, not sasser, not Welchina (these guys are not foun on the system!!!) what else does that?
I'm running full system scan using Norton and it is not picking up anything at all (running it in safemode)!!!
 
this just proves how useless antyvirus software are when there is actually a virus in the system!!! They don't do nothing! ;(
 
what other worm/torjan/virus gives you that RPC message?
 
 
\I'm thinking the entire computer business is so fragile with all the software problems. Linux is difficult to use (and i'm still strogling to learn the basics) and Windows is insecure! What should be done about this! This is not a question of tast or personal preference, but a question of survival of human race untill we wipe ourselves off the face of the planet with a piece of computer code!!!! (you can tell i'm going nuts!!!)

data/avatar/default/avatar39.webp

1457 Posts
Location -
Joined 2001-12-18
Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=Go
You asked what other ones give this "RPC" message? Here are ten to start with
1. PestPatrol Pest Info - Exploit.Win32.DCom.e
http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp
size 11068 bytes - 6/24/2004 4:07:03 PM GMT
2. PestPatrol Pest Info - Rpc-cmsd.c
http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp
size 10138 bytes - 6/21/2004 8:00:51 PM GMT
3. PestPatrol Pest Info - RPC portmapper set/unset
http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp
size 10895 bytes - 6/21/2004 8:01:03 PM GMT
4. PestPatrol Pest Info - Rpc Bind 1.1
http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp
size 13136 bytes - 6/21/2004 8:00:54 PM GMT
5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner
http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp
size 10740 bytes - 6/21/2004 8:02:45 PM GMT
6. PestPatrol Pest Info - RPC Program Scanner
http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp
size 10091 bytes - 6/21/2004 8:01:04 PM GMT
7. PestPatrol Pest Info - Rpc scanner by console
http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp
size 10496 bytes - 6/21/2004 8:01:04 PM GMT
8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only)
http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp
size 10864 bytes - 6/21/2004 7:48:28 PM GMT
9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner
http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp
size 10735 bytes - 6/21/2004 7:48:41 PM GMT
10. PestPatrol Pest Info - Unknown Flooder
http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp
size 16544 bytes - 6/21/2004 9:07:42 PM GMT
 

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Oh man, you said there were no information on that thing about a year ago!!! there is no information about anything named W32Parity on norton, and mcafee website. they must be using another name for it or something.
I searched google, and guess what i found: http://www.ntcompatible.com/thread27230-1.html
and that is the only result.
 
PestPatrol worked, and BHODemon could help me to remove my 4th BHO and everything looks fine, but i know the thing is still in there, because when i type about:blank in IE, or type any invalid URL, that "search for..." site comes up. no sign of that RPC thing!!! it just desapeared, just like that, like it never existed!!!!
 
now what? wait and see if there are more problems? howcome it's working for few hrs and then everything goes upside down? is there a time trigger or something?
 
It all started after installing SP2! iwas so stupid, you know when they say if it ain't broke don't fix it!!! that is my problem!!!
 
is there any way i could fix that blank page problem tho? where should i look to see what defines the "blank" page in windows?
 
APK I'm not using kazaa or anything like that (if you remember AlecStaar a long time ago i had issues with my clients who used kazaa!! and i talked to my work place managers and the owner cause you said you could create a code that could remove kazaa or block it or something, i can't remember. but the owner of the business (after a while running after him) finally told me that i'm over reacting, and they cannot go with that plan. Now they are charging people $149 if any trace of any p2p software is found on their system before they even consider looking at any software (so much for me over-reacting).
 
 
Alec you are one of the most helpful people on this forum and one of the most knowledgable ones. I really appreciate all your help.

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Originally posted by sp4rk911:

Quote:is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad. 
Thanks for the reply man, but don't come to my service department cause i hate spyware so much now!!!
 

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Originally posted by Sampson:

Quote:Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=GoYou asked what other ones give this "RPC" message? Here are ten to start with
1. PestPatrol Pest Info - Exploit.Win32.DCom.e
http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp
size 11068 bytes - 6/24/2004 4:07:03 PM GMT
2. PestPatrol Pest Info - Rpc-cmsd.c
http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp
size 10138 bytes - 6/21/2004 8:00:51 PM GMT
3. PestPatrol Pest Info - RPC portmapper set/unset
http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp
size 10895 bytes - 6/21/2004 8:01:03 PM GMT
4. PestPatrol Pest Info - Rpc Bind 1.1
http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp
size 13136 bytes - 6/21/2004 8:00:54 PM GMT
5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner
http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp
size 10740 bytes - 6/21/2004 8:02:45 PM GMT
6. PestPatrol Pest Info - RPC Program Scanner
http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp
size 10091 bytes - 6/21/2004 8:01:04 PM GMT
7. PestPatrol Pest Info - Rpc scanner by console
http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp
size 10496 bytes - 6/21/2004 8:01:04 PM GMT
8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only)
http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp
size 10864 bytes - 6/21/2004 7:48:28 PM GMT
9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner
http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp
size 10735 bytes - 6/21/2004 7:48:41 PM GMT
10. PestPatrol Pest Info - Unknown Flooder
http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp
size 16544 bytes - 6/21/2004 9:07:42 PM GMT

that's gonna take me a while getting to all of them. I'm getiing on them now, thank you!
 
Edit: all of them seem to be picked up by Pestpatro and non of them turned up in the scans. this was a great help thou, i put this post somewhere else on this forum where they had the RPC issue when connecting to ISP (if you don't mind). this may help him too.
 
Thank you very much Sampson.

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Originally posted by AlecStaar:
 
Thanks, but I forget things & the spelling was wrong above: it's "W32Parite" (my nephew had to remind me by phone & I am @ fault on both threads, because it is spelt this way, not the way I spelled it above).
 
P.S.=> My nephew got it from Kazaa use & another user putting out infected files on it, & W32Parite did one "good" thing: Cured him of filesharing programs! apk
 
 
BINGO:

Quote:W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares.
 
Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [sophos], Win32/Parite.A [RAV]
 
Type: Virus
Infection Length: ~177,917 bytes
 
 
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

 
and here is a look at the solution:

Quote:1.Disable System Restore (Windows Me/XP). (have done it)
2.Update the virus definitions. (done that)
3.Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT). (done that)
4.mun a full system scan and repair all the files detected as W32.Pinfi. (there is non)
5.Reverse the value that the virus added to the registry. (it's not there!)

 
the good news is this is not it!!! cause the registery item they mention is not there! the bad news is that i'm still lost and have no idea what's going on!!!
 
 

Quote:quoted text

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
HEY I FOUND THE BASTURD!!!
 
I found the URL for the site where all my problems are coming from (with some tracing stuff) and my DNS provider gave me the Whois information for the guy!!! what is the best way of punishing the ass****? he has got to learn to earn his money by hard work not by stealing on the internet!!! and spreading the stuff all over my computer!!!!
 
here is the domain name if you want to look it up:
D8T.BIZ
and he uses lots of submasks and stuff!!!
It looks like he has provided a faulse phone number and his name doesn't sound right. And to top that off, he is giving out his Yahoo mail!
 
could i give his info to FBI or something? Any suggestion on how i could have revenge on this guy ?
And look at this:
>>>> Whois database was last updated on: Fri Jun 25 06:21:43 GMT 2004 <<<<

data/avatar/default/avatar18.webp

1 Posts
Location -
Joined 2004-06-26
Norton is not capable of finding the culprits in your system.
 
Download a good AV program (Kaspersky 5.0 trial version www.kaspersky.com)
Run the updates, scan your pc, it WILL find the trojans on your HDD.
 
Next: Download SpyBot Search and Destroy:
http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button
 
Run the updates, scan your HDD, it will remove the registry entries.
 
I had the same issues going on, the above cleared it up & kept me from formatting.
 
JR

data/avatar/default/avatar35.webp

316 Posts
Location -
Joined 2001-07-27
OP
Non oif it worked, it's still there and its installing crap on my computer every 2~3hrs. The guy surely receives the emails, but no responce.
 
I'm formatting the computer to reinstall windows, but the cheap 56x CDROM is acting up in the middle of installation *it stops functioning when it gets worm)!!! Just to make my life more miserable!!! thank god i always have at least two copies of my important files. Got to buy a new CD drive for the computer! It's just that at this time i'm totally broke (planning to get a DVDRW drive, but if the CD dies now, i could only replace it with another cheap one!!!) they say worse things happen at the worse time!!!
 
wish me luck, since this is the 3rd time i'm formatting my primary Raid partition to get windows installed!!!
 
and thank you for all your help, can't do without your help.

data/avatar/default/avatar09.webp

16 Posts
Location -
Joined 2004-06-28
I found the answer! (or at least it works for now...) The pop-up come up saying "you might be infected by spyware........." I downloaded BHODeamon it showed this:
 
{F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166}
C:\WINDOWS\System32\jbafagd.dll
 
What I did, was go to registry (regedit if someone does not know) and deleted all entrys containing "jbafagd.dll" and "{F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166}" and also deleted the file. The problem was solved. If you decide to do it, DO IT AT YOUR OWN RISK.

data/avatar/default/avatar35.webp

462 Posts
Location -
Joined 2000-03-14
Hi Ali,
 
I know I haven't contributed to this thread, although everything has pretty much been said. But, I have just seen this http://www.majorgeeks.com/download4281.html on the front-page which looks pretty cool (I aint tried it yet, as I am at work, and I can't reg it (it must use another port apart from 8080)).
I will try it when I get home. Anyways, just thought you might aswell give it a try too.
 
GL