Greetings, brikeyes !

Some website has hijacked your homepage.  Try to remove it from Add/Remove Programs in Control Panel.

1. Use the following scanners to find and remove the website.

Adaware
http://www.lavasoftusa.com/software/adaware/
or
Trojan Hunter
http://wiki.castlecops.com/Securing_Your_Computer:_Trojan_Removal_Programs#TrojanHunter_Trial
or
Ewido
http://www.ewido.net/en/

2. Some porn websites redirects links to their websites using your HOSTS file. Do a search for the HOSTS (without extension) file and remove the entry.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!

Make sure you go into tools >internet options> general and change your home page.

ok i am running add aware right now  and it did not find anything nothing in the hosts file

tojan hunter found nothing

brikeyes,

Ewido should find it.  If not post a link to HijackThis analyzed log.

Did you try changing your home  page?

ok tried to change home page and it still comes back to syserrors.com  ewido found alot of stuff and i deleted it , but whenever i launch IE ewido comes up with a notification that it has found spyware in c:\windows\system32\hp8879.tmp and asks if it is ok to clean it


will run hijack this and post the results

hijack this results
Logfile of HijackThis v1.99.1
Scan saved at 1:42:08 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\1024\ld3F80.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\1024\ldFAD4.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HJT2\HijackThis.exe

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp8879.tmp
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcssi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcssi.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

i removed the BHO home page but it comes back as BHO unnamed when i scan again

aftrer reboot now it finds zlob.az

Disable system restore start>control panel>switch to classic view>system> system restore tab, now turn off system restore, then run ewido again.

Also for  c:\windows\system32\hp8879.tmp do the following

(0) If running XP Home, boot in safe mode, if XP Pro, start directly with step (1)

(1) Right click on the file (mllif.dll) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot, the file will be unable to run because no one will have any permission to use it.

oops, I meant this

(1) Right click on the file ( c:\windows\system32\hp8879.tmp) in Windows Explorer or My Computer, select Properties


Once you are in windows explorer, go to tools<folder options<view< then make sure show hidden folders is selected.

>> whenever i launch IE ewido comes up with a notification that it has found spyware in c:\windows\system32\hp8879.tmp and asks if it is ok to clean it >>

Run Ewido a couple of time, as it finds more mailware each time.  Can you manually delete hp8879.tmp in Safe Mode?

Here is a link t your HijackThis saved analysed log

http://hijackthis.de/logfiles/8cd31ee4eddd2ba54c7a18f2a19dc9d4.html

While in Safe Mode, have HijackThis remove the following processes

C:\WINDOWS\system32\nvctrl.exe

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp8879.tmp

Are you familiar with this domain?  If not have HijackThis remove them

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcssi.com               

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcssi.com

Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent".  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".

now i cant find the hp8870.tmp but i did find hpa587.tmp and followed the instructions and rebooted and it detected zlob.az on reboot and all the other symtoms are still there , is there a way to a block the windows notification ballloon that tells me i have a virus ?it is hard to type

i was not able to delete it with kill box but i was able to kill it in safe mode but it came back after a reboot and renamed itself hpb611.tmp

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent".  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".

Is Ewido throwing up the baloon?  You can disable the warning in Ewido options menu.

i was able to delete it but it comes back when i reboot , balloon is from windows
i also disabled it

I might just have to format this thing

You did disable the file in Safe Mode.  In Safe Mode, process monitoring the file may not be enabled.  

If the file keep regenerating, disable it by the procedure I posted above by removing the permissions.  Then the file is useless, but will not regerate.

Hi brikeyes,
That file belongs to a smitfraud infection, please try this.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to this entry and click "Fix checked":

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp8879.tmp

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

While still in Safe Mode run Ewido Security Suite

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Delete these files if still present, end process first:(might no  longer present)
C:\WINDOWS\system32\1024\ld3F80.tmp
C:\WINDOWS\system32\1024\ldFAD4.tmp
C:\WINDOWS\system32\nvctrl.exe

Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm

Spyaxe is a suspect antispyware product.  Can you uninstall it via add/remove programs?

gidds99, I already posted about removing Spyaxe from Add/Remove Programs.

Sorry, I missed that.  Maybe brikeyes missed it too.  You cant have enough good advice :))

Some help for annoying warning screens:

The annoying message on your desktop is kind of hard to get rid of when you don't know how.
Click on the upper edge of the screen and drag it down untill you notice a cross in the upper right corner. Click it to close the screen and you will have access to your real desktop and can change the settings.
It is a modified explorer screen laid between your desktop and the shortcuts on it. Easy once you know.

http://www.wilderssecurity.com/showthread.php?t=75890

This is a nasty piece of spyware.

ThankS rpggamergirl ! that did it you saved me alot of time , I was ready to format the hard drive and start over!!!

Brian

Glad you got rid of it brikeyes.
Just found out that spyaxe sometimes leaves its folder in the Program files, you might like to check that and if it did, delete it.

Thank you very much for the points.