Bizarre problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by aric_dacia, Mar 3, 2005.

  1. aric_dacia

    aric_dacia Private E-2

    Whenever I type in an address in IE I'm sometimes taken to seemingly random sites. I've run adaware, done virus scans, used spybot search & destroy, etc. I've found references to mediaplex and fastclick and I've seemingly removed them but they keep popping up again. Can someone help me? This is my hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:21:45 AM, on 3/3/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Novell\ZENworks\nalntsrv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Novell\ZENworks\wm.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dpmw32.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Novell\ZENworks\NALDESK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Creese\My Documents\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"
    /WAITSERVICE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program
    Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Application Explorer.lnk = C:\Program
    Files\Novell\ZENworks\NALDESK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
    present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
    DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Novell delivered applications -
    {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Chat -
    http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    -
    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105542312750
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc.
    - C:\WINDOWS\system32\cusrvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell,
    Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner -
    C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program
    Files\Novell\ZENworks\wm.exe
     
    aric_dacia, Mar 3, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First:

    Please follow forum guidelines! HJT is not the first step in removing Malware. Please pay close attention!


    Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

    To create a new folder:
    Click START > My Computer > Local Disc C: > Program Files
    Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

    To Extract HijackThis:
    Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
    (C:\Program Files\HJT) and click Next.

    Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


    Second:


    Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
    All instructions are covered in the sticky thread     NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


    Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

    DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!:)


    After you have ran all the steps in the READ ME and relocated HJT, post a new log as an attacment to your post!


    Good luck!:)
     
    bjgarrick, Mar 3, 2005
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds