Trojan: %%68%%6F%%6D%%65%%70%%61%%67%%65%%2E%%63%%6F%%6D

[mrgrego]

Hello,

I've got a small problem with my comuter.

I use avast but unfortunately it didn't detect the trojan horse that I certainly run by inadvertency 2 days ago in an e-mail.

However, I don't know how avast call it, I've found its description on other sites, for example it is called "Trojan.Popdis" by Norton.

Anyway, so far I've followed all the instructions(point after point) that I found on the web to remove it, which means modifying the Registery (REGEDIT), run computer in safe mode, done several scanning of my disks with 3-4 anti-virus / anti-trojan software (without finding any trojan)  BUT my IE start page always try to change its address to:

http://%%68%%6F%%6D%%65%%70%%61%%67%%65%%2E%%63%%6F%%6D

I've deeply searched what kind of program could send this command to the IE to change the start page... but without result...

For you information, I have:
Windows XP + IE 6

Fortunately, I've got an AntiSpy software which detects when my start page is being changed.. but of course, always within an boring windows alert pop up.

Does anybody knows how could I treat this issue? I guess that I've anymore this trojan in my computer as any AntiVirus detect it, but its bad effect remains...

[whocares]

Hi,

!!  if you've identified the malicious file, please send it to virus@avast.com

- have you run SPYBOT, Ad-Aware & cwshredder ?
- please post a Hijackthis-Log: http://hjt.klaffke.de/en
- Apply all Windowsupdates
& secure your IE: disable activeX & scripting except for known, SECURE sites..

Links & details: please see above search
 

[mrgrego]

Hi!

Thank you for your kind answer.

Concerning AntiSpy softwares, I've used SpySweeper & TZ Spyware-Adware Remover without any Spy discovered. FYI, I use SpySweeper for about 1 year.

Here below the log file of HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 18:05:10, on 26/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINNT\system32\crypserv.exe
F:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
F:\WINNT\System32\nvsvc32.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
F:\WINNT\System32\ctfmon.exe
F:\Program Files\ICQLite\ICQLite.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\PROGRA~1\WINZIP\winzip32.exe
F:\Documents and Settings\arthur\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.k-ramail.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k-ramail.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.k-ramail.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k-ramail.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = htp://
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - F:\WINNT\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] F:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [RoboForm] "F:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] F:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: ICQ 4.0.lnk = F:\Program Files\ICQLite\ICQLite.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enregistrer &[ - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Personnaliser &Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Remplir &$ - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Si&milar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)

Thank you in advance for your precious help !

[whocares]

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - F:\WINNT\dpe.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Hi,

FIRST!!: move the hijackthis.exe to a NEW, empty folder, outside  TEMP; otherwise you'll lose its backups..



- fix everything in  R0, R1, R3

- please send this dpe.dll to avast !!

- also fix the above,quoted items

  best do the fixing in safeMode (F8-Boot)

*

--> work on the other advice, e.g. your WINDOWS/IE is
a) not uptodate
b) not secured: see above, boardsearch & google

 

[mrgrego]

Hi again,

Thank you for your response!

I've moved to another new directory this dpe.dll and another dped.dll just created today in the same directory. Hence, I've sent it to the e-mail address you gave me.

I apologize that I run the HijackThis tool directly in the Zip File, I see that it is a current issue that I shall avoid before

Something suprising is that when I go to windows update website, it does not tell me that I need to upgrade it, nor that I need to download critical patches... (certainly because I own a strange WXP version..     )

So the new result for hijack is the following:

Logfile of HijackThis v1.97.7
Scan saved at 18:48:50, on 26/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\spoolsv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINNT\system32\crypserv.exe
F:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
F:\WINNT\System32\nvsvc32.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
F:\WINNT\System32\ctfmon.exe
F:\Program Files\ICQLite\ICQLite.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\Kazaa Lite K++\KazaaLite.kpp
F:\PROGRA~1\WINZIP\winzip32.exe
F:\Documents and Settings\arthur\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.k-ramail.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k-ramail.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.k-ramail.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k-ramail.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = htp://
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - F:\WINNT\dpe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] F:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [RoboForm] "F:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] F:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: ICQ 4.0.lnk = F:\Program Files\ICQLite\ICQLite.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enregistrer &[ - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Personnaliser &Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Remplir &$ - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Si&milar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38133.3830671296


FYI, http://www.k-ramail.net is my correct homepage, so, how can I do to fix the points you wrote. Do I have to remove these lines completely from my registery or writing something else?

Thank you for your support which is really appreciated.

Best regards !

[whocares]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = htp://
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - F:\WINNT\dpe.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

then just fix the mentioned lines where your homepage isn't in it.., huh?

meaning the quoted ones above..

FIXING means clicking&marking the little squares in front of the mentioned malicious/useless items in the Hijckthis-Log, and then click "FIX CHECKED"

 

P.S.: if by "strange WXP version" you mean what I think you mean, then
a) you shouldn't mention this here
b) rectify the strangeness
c) download&install at least the newest version of IE6 & the patches in MS04-011 - Ms04-015:
http://www.microsoft.com/security/security_bulletins/

[mrgrego]

Ok I see, sorry my brain is not really good working sometimes  

But what will do hijack? It will erase all those lines or just cleaning their data ?

I guess reapir it, because I don't know how IE shall work without a start page info, isn't it?

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = htp://
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - F:\WINNT\dpe.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Thank you and best regards !

[whocares]

Please reread edited posting above