home page redirecting itself

Please Help!

My home page continues to redirect itself and will nopt stop doing so.
I have scanned it with Norton anti-virus, ad-aware 6.1 and Spy-bot search and destroy and updated them as well. As of far they have yet to been able to locate the problem. I have even gone into registry editor and tried to delete it manually but as soon as you go back on the internet it finds it again and automatically reinstalls itself.

Here is the name of the file or website:
res://zxtsx.dll/index.html#22776

Please help and thanks for your time:
GUY

 

dragonsoul--Perhaps someone else is able to recognize the hijacker from the info you have provided, but I suspect you are going to have to run HiJackThis eventually. So suggest you do so and post log here.
http://www.spywareinfo.com/~merijn/downloads.html
tutorials (if you are ambitious)
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42&

 

Is that thing running as a service?
R u using 2000/XP?

If so, go check the services may u find something.

Or, you can try
Start-> Run -> regsvr32 /u ???.dll
to unregister the dll. Hope it works.

 

I tried this and....

I tried hijack this and tried the "fix all" button and it kept returning still!!!!

please reply soon!!!!


Logfile of HijackThis v1.97.7
Scan saved at 6:36:21 PM, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mskp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\system32\msei32.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Documents and Settings\Nancy\Local Settings\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxtsx.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxtsx.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxtsx.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7561BD5A-4319-21D1-6A49-CBCE972E06E8} - C:\WINDOWS\crim.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE "
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [MCCInstall] D:\Intro\AA\MCCInstall\English\MCCInstall.exe -Step=5
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [ieov32.exe] C:\WINDOWS\system32\ieov32.exe
O4 - HKLM\..\Run: [msei32.exe] C:\WINDOWS\system32\msei32.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.advcomputers.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.6376388889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E309C48D-8578-4004-9416-D22F60F4BDF9}: NameServer = 198.235.216.111 209.226.175.223

 

Looks strange.
Backup the key and delete the value. Restart and see.

 

I'm not expert enough to offer you a fix on this one but some of the things in the hijackthis log resemble one of the newer and really difficult-to-remove hijacks.

I'm moving this to the security section and I suggest you do nothing until you get detailed instructions from one of the experts there.

 

NOT A GOOD IDEA! You could have really messed up you windows. HJT is a tool, it doesn't know good from bad. But, I can see that nothing happened anyway.

First copy HJT into it's own folder, it creates backups, and the Temp folder will not be a good place to keep them.

Uninstall Blubster Support, reboot. It is adware.

With all browsers closed, remove these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxtsx.dll/index.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxtsx.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxtsx.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zxtsx.dll/sp.html#22776
O2 - BHO: (no name) - {7561BD5A-4319-21D1-6A49-CBCE972E06E8} - C:\WINDOWS\crim.dll
O4 - HKLM\..\Run: [ieov32.exe] C:\WINDOWS\system32\ieov32.exe
O4 - HKLM\..\Run: [msei32.exe] C:\WINDOWS\system32\msei32.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_scr ipt0.htm
C:\WINDOWS\system32\msei32.exe
C:\WINDOWS\System32\lexpps.exe

Reboot and delete these files. You will need to set Windows Explorer to Show All Files to find them. At the toolbar in WE, go to Tools\Folder Options, click on View, then click on Show All Files then OK.
C:\WINDOWS\system32\msei32.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\zxtsx.dll
C:\WINDOWS\crim.dll
Delete all files in C:\Documents and Settings\Nancy\Local Settings\Temp folder.
Delete the folder C:\Program Files\BlubsterSupport.
If you have a problem deleting, use MoveOnBoot.

 

dragonsoul,
Have a look here
http://forums.techguy.org/t239446.html
It looks like a virus who will change its file names all the time. But there are several .exe and .dll files. You can find them in the log.
So for dll files, you can use regsvr32 /u ???.dll to unregister them as I told you in the first reply, for EXE files, you can remove the from the regisrty and delete them. Hope you can make it out. Good luck.
** make sure you backup the registry before modify it.**

 

dragonsoul,

Do NOT unregister any dll's. It is no longer safe to do so. Please, just stick to the advice given by our more experienced members until your PC gets cleaned up.

mirror,

Until you are experienced enough to decipher the results of an entire log and give more informed advise, I suggest you don't.

PS. We rarely send our members into the registry manually. We have tools to do those regedits, such as HijackThis.

 

Post a new Log, there is a fix for this using a combination of a tool called about:buster, hijackthis's ignorelist and adaware all while in safe mode.

so new log and do you have adaware 6 181 ?

also before you post again go get HijackThis v1.98 please

 

I just felt my unsafe solution is better than no solution. I did not tell anybody to unregister dll or modify registry BLINDLY. If you unregistered a dll by mistake, just register it again, If you delete a registry key by mistake, just restore it. My solution wont hurt.
I am new to this forum and I was trying to help as much as I can. We may think different, use different tools, but we are trying to do the same good. So, if you guys are not sure my solution is wrong, please just said I dont think mirror is right.

 

mirror,

It IS unsafe to unregister bad dll's now. Many of the writers of this stuff know that some removal programs such as Ad-aware and Pest Patrol, have an option to unregister dll's prior to removal, for the tough ones in use, and have now started writing some of them to execute their bundled virus programs upon unregistering. Some of them are very nasty and destructive, and will prevent the user from accessing any other removal tools/sites.

I am fully aware that you are only trying to help, and admire your intentions, but there is much more to properly removing some of these infections, and cleaning up afterwards, than what you have been offering. Fixing only a small piece of the problem can sometimes make it much more difficult to remove the biggest piece. In addition, improperly fixing some things can lead to bigger problems. If you truly want to help, sit back and study, research, and design your responses to help the most efficiently, effectively and safely. And when you are unsure, ask. The security forum is getting busier, and the help is welcome, but it is important to be careful and thorough when we tell folks what to do. Remember, these are not our own computers, and when someone does as you suggest, it is a great leap of faith in you knowing what you are doing. There is a great deal of information available for those that want to concentrate on helping people remove nasties from their PC's, and places to better learn how. If you fit in to that category of person's, PM me and I'll give you more info. Welcome to WindowsBBS mirror. It is a friendly place to be.

 

Lonny - do you have a good link to get the 1.98 version? I find any number of places including his page that talk about it being in final beta but can't seem to locate a link for downloading anything newer than 1.97.

 

The link in my signature is V 1.98, although it still says it's V 1.97

 

Thanks Dave. You mean the link labeled CWShredder that takes you to Merlin's page where you get version 1.98 from the link labeled 1.97.

Yup. By golly that's exactly what happens.

 

Yep, that's the one

Hey dragonsoul, despite what it looks like, it's still your thread Where you at and how are you doing?

 

Merijn was a little slow to upload the new version..
there now I assume ?
anyway the update from within works great (not that I understand why there was a diferance)

 

I'm having the exact same problem! HELP!

 

well i tried doing what everyone says ....

well i tried doing what everyone says and all it did was have a few more new sites same starting res://... etc. would show up. I tried to change the binary codes so it wouldn't work as well then it just fixed itself then I tried deleting them out of the regedit and it would just reapear but the funniest thing of all was that when I modified the name so that i would be www.google.ca instead of the res://... it would literally run away. I watched it jump folder to folder trying to hide itself in the reg edit. (that was sort of cool and funny) Also it appears to want to hide in Media player. Do you think that it i posible to delete everything form the computer and start over from scratch, like reinstall winXP? Well anyway if you don't hear from me for a bit I'm gone on holidays. Don't worry about regedit and me being in it, I always go in there and know what to do and look for and if I don't then I don't go or touch that file Thanks

 

Hello

Go get the brand new version of hijackthis v1.98,, BUT this time place it in a new folder of its own and make a new log please
http://radiosplace.com/
has in it both zip and exe form.
that nastie sometimes takes a couple go-round's to get it all.