Browser hijacked but I cant find the problem!

[tyke]

I am using windowsxp pro, service pack 2, and IE 6.
When I clik on a Google search result my browser is redirected to something like Http://64.111.198.178/php?c=69284 ( this changes after I re-connect)then further redirected to http://www.web-prayers.com or I end up at either a commercial site or, if its a blank page, dns4error.com.
HJT has'nt found anything new during this, ( except a 017 reffering to tcpip which it always does)
I have( several times now) run AVG, AVGanti-Spyware, spybot (all in safe
mode ) I tried 'fixwareout' ( twice), I d/loaded 'ComboFix' and ran that, which only messed up the toolbar on my IE.On trying a system restore I found it wasnt working, I get the message "System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again." now time wont sync eihter, I went into service to try and restart time-sync but it didnt help..while there I tried to restart the system restore in services.msc, but got access denied, error code 5. That may have been like that for a long time though, but I thought I'd mention it.
before the scans I cleared all my temp folders etc, I have searched for various things in the registry and checked my host file, which says simply '127.0.0.1 localhost' which I believe is normal. although AVG always says it has 'changed'.
IE crashes quite a lot though. I cant fix this because I cant find anything!
help!!!!!!!

 

[Jase123]

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Jason

 

[tyke]

here is my latest HJT log, I tried to add it as an attatchment mut my IE wouldnt let me lol

(Moderator edit: To learn how to attach a log file, please see HERE.

 

[tyke]

ah, sorry about that JAson, I posted the log before i saw your reply, I will follow the instructions and keep ya posted, ty.

 

[Jase123]

You are running an older version of HijackThis.

The current HijackThis version is 2.02

It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.

To get things going i need you to download HijackThis, see the instructions below.

* Click here to download HJTsetup.exe
* Save HijackThis Installer to your desktop.
* Doubleclick on the HijackThis Installer icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back here to this thread and post your log as an attachment in your next reply.

DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Regards Jason

 

[Jase123]

It's ok mate - make sure you take a note of my instructions above and get the newer Hijackthis.

Regards Jason

 

[tyke]

Unfortunately it just wont let me click certain links ..n the guide I followed instructions where I could.. I ran the housedoctor scan which found and fixed a few things, then the problem would not let me d/load the latest HJT, similarly I just couldnt get the 3 tools either..
I tried around 20 times, and ended up with 20 explorer windows all with the dns4error.com webpage..
I DID manage to get the panda rootkit one though. I rebooted ran the scan and it found nothing. Incidently, I saved your 'Viruses/Spyware/Malware, preliminary removal instructions' page to my desktop, and when I went to open later ( while not online) it still reverted to the dns4error.com page twice before I could get the real one to come up.
as I couldnt do much online I had a root around in system 32..a file made 29/11/07 is called e404d.dll
I then searched regedit and fount this link to it..
HKEY_CLASSES_ROOT\CLSID\{9164f608-219b-4d9b-9a9d-3b0d699041a2}\InProcServer32
it says default, under type it says REG_SZ and under data it says e404d.dll
I also found tconn1.dll and tlove2.dll in system32, but niether came up in a search of regedit.
I deleted tconn1.dll and tlove2.dll, and I think I should go into safe mode and delete the e404d.dll? should I delete the entry in the reg also?

 

[Jase123]

Try downloading HJT from HERE.

Regards Jason

This thread is for the use of Tyke ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[tyke]

Thanks for the link Jason , unfortunaltely I couldnt get that to work either.
so..I got impatient, and I went into safe mode and , after making a copy of the e404d.dll, I deleted it, and rebooted... to my amazement the problem had gone! Im still not sure how, but after trying several websites and rebooting, it hasnt returned! Im still not sure what I should do about the reference to the file in the registry, but so far everything seems fine , and its a good feeling! any further advice on the registry would be apreciated, and also thanks for your help, you guys rock!