homepage hijacked

Hi,

I am having the same issues. Here is my hijack log. It never goes away completely even after running all of the programs and softwares mentioned in other posts. This is really frustrating. What about reinstalling internet explorer, would this work? Thanks all.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijklm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ijklm.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ijklm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ijklm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ijklm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ijklm.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {146AFEBB-7120-BBED-61F3-F22CEAF0E120} - C:\WINDOWS\system32\crqg.dll
O4 - HKLM\..\Run: [d3fm32.exe] C:\WINDOWS\d3fm32.exe
O4 - HKLM\..\RunOnce: [javasr.exe] C:\WINDOWS\javasr.exe

thread split...

Does anyone have any suggestions? I have tried all remedies offered for other users but without success.

Thanks

Hi polyjb,

I can help you but you need to post the entire HijackThis log:

Enable everything in MSCONFIG (if you have disabled anything). Go to Start > Run > msconfig > click Startup Tab > everythig should have a checkmark to the left of it.

Download HijackThis (link below). Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix. Run the program, press Scan, press Save log. Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

Tom

Logfile of HijackThis v1.97.7
Scan saved at 7:24:49 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\d3fm32.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\d3cl32.exe
C:\Documents and Settings\Jerry Bumbaugh\Local Settings\Temp\Temporary Directory 76 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzlyq.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzlyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pzlyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35211BE1-8EDF-F9D6-D61F-027B7DB286D4} - C:\WINDOWS\ievr.dll
O4 - HKLM\..\Run: [d3fm32.exe] C:\WINDOWS\d3fm32.exe

Hi. Thanks for the response. I have continued to run hijackthis and delete the files off my system but a different form of the xxxxx.dll appears each time. As others have mentioned, it works for about a minute or so and then reverts back to the problem.

thanks. again.

That is still not a complete HijackThis log!

Please follow these instructions carefully! You may want to print this out.

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and fix these lines.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzlyq.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pzlyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pzlyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pzlyq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JERRYB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {35211BE1-8EDF-F9D6-D61F-027B7DB286D4} - C:\WINDOWS\ievr.dll

Then start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the BHO from the HijackThis log: O2 - BHO: (no name) - {35211BE1-8EDF-F9D6-D61F-027B7DB286D4} - C:\WINDOWS\ievr.dll

Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware (check for updates first!) to remove the txt and html protocol association.

Post a fresh HijackThis log.

Tom

Ok. But this appears to be all the log provides me but I will try again. Thanks.

I guess it's possible your log is that short..... doesn't seem probable though.

Go ahead with the fix posted earlier and we'll see how your doing!

Tom

Tom in proceeding to the step in the lower window...

The ievr.dll is not one of the 82 modules listed. I did make sure that I had selected the explorer.exe in the upper window.

Ok, reboot and post and fresh HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 10:55:24 AM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\d3cl32.exe
C:\WINDOWS\d3fm32.exe
C:\Documents and Settings\Jerry Bumbaugh\Local Settings\Temp\Temporary Directory 78 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {41D2B4DA-7A72-4D83-2AB1-ABC9369BAC74} - C:\WINDOWS\system32\addta32.dll
O4 - HKLM\..\Run: [d3fm32.exe] C:\WINDOWS\d3fm32.exe
O4 - HKLM\..\RunOnce: [d3cl32.exe] C:\WINDOWS\system32\d3cl32.exe
O4 - HKLM\..\RunOnce: [syszm32.exe] C:\WINDOWS\syszm32.exe
O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\atlks.exe

Okay here is the new log after a reboot.

Thanks.

You might want to print these instructions. Logoff your internet connection. Do not reboot!

Hold down the Ctrl+Shift keys on your keyboard and tap the Esc key. This will open task manager. End the following processes by selecting it and pressing the End Process button and clicking Yes to the confirmation message:
d3fm32.exe
d3cl32.exe
syszm32.exe
atlks.exe

Close all browsers and other windows except HijackThis.
Run HijackThis, place a checkmark next to the following items. Click "fix checked".

O2 - BHO: (no name) - {41D2B4DA-7A72-4D83-2AB1-ABC9369BAC74} - C:\WINDOWS\system32\addta32.dll
O4 - HKLM\..\Run: [d3fm32.exe] C:\WINDOWS\d3fm32.exe
O4 - HKLM\..\RunOnce: [d3cl32.exe] C:\WINDOWS\system32\d3cl32.exe
O4 - HKLM\..\RunOnce: [syszm32.exe] C:\WINDOWS\syszm32.exe
O4 - HKLM\..\RunOnce: [atlks.exe] C:\WINDOWS\atlks.exe

Boot into Safe Mode. Here's instructions:
http://service1.symantec.com/SUPPOR...01052409420406/

Show hidden files:
How to Show hidden files and folders.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete the following files:
C:\WINDOWS\system32\addta32.dll
C:\WINDOWS\d3fm32.exe
C:\WINDOWS\system32\d3cl32.exe
C:\WINDOWS\syszm32.exe
C:\WINDOWS\atlks.exe

Ok. I did all the above and rebooted in normal mode afterwards. What do you suggest now?

Thanks.

Also, by the way, I use MSN explorer now since IE does not work at all. I assume these run on different paths since one works and one is taken over by the hijackers.

I've gone ahead and tried internet explorer and it seems to be working okay for now. I have opened and reopened it several times and it seems fine. I also shut down and rebooted a couple of times and again okay so far. Thanks for the help!!!