IE startup generates trojan warnings - help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by andrewfmuir, Dec 23, 2004.

  1. andrewfmuir

    andrewfmuir Private E-2

    Hi, running W2k, recently getting Macafee visrusscan messages when I start IE - names of appjw.exe, efpxw.dll, javasa.exe, mfczd.exe and ntts32.exe - the dll one is flagged up as IE page replacment. Macafee seems to delete them but this happens each time I start IE. I have now installed Firefox as an alternative but want to sort these messages before something worse happens! I have gone through the removal instructions as posted on this site, no difference. I have installed HJT and gone through log file, did not notice anything strange but no expert. Any advice?
    Thanks a lot!
     
    andrewfmuir, Dec 23, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Andrewfmuir,

    If you have exhausted the resources of the Cleanup Tutorial ( including the Online Scans), then please send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

    Best :)
    PP
     
    PhilliePhan, Dec 23, 2004
    #2
  3. andrewfmuir

    andrewfmuir Private E-2

    Thanks a lot, here's the file.
     

    Attached Files:

    andrewfmuir, Dec 24, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must put HijackThis in the proper folder as specified. Phillie gave you C:\Program Files\HijackThis
    You are still running it from C:\Documents and Settings\andrew_mu\My Documents\internet\downloads\cleanup\hijackthis\HijackThis.exe

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\suazr.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\suazr.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EF27DC93-FC36-699F-3585-66C9B83BFFA7} - C:\WINNT\mfcmx.dll

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\suazr.dll
    C:\WINNT\mfcmx.dll

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Questions:

    Did you add the below to your Trusted IP range:
    O15 - Trusted IP range: 206.161.125.149

    Here is some more info on this address.
    206.161.125.149 = [ ah1-p4id-88.advancedhosters.com ]
    OrgName: Beyond The Network America Inc.
    OrgID: BNA-42
    Address: Reston Executive Center
    Address: 12100 Sunset Hills Road Suite 300
    City: Reston
    StateProv: VA
    PostalCode: 20190
    Country: US

    If you do not recognize that IP address and know of no reason that it must be in your trusted zone, have HJT fix it too.

    Do you recognize the below O17 lines as belonging to your ISP?
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = masongroup
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8B16A8-820E-4BE6-A609-D861E3309E14}: NameServer = 194.72.9.38,194.74.65.69
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = masongroup
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = masongroup
     
    chaslang, Dec 24, 2004
    #4
  5. andrewfmuir

    andrewfmuir Private E-2

    Thanks chaps, all seems fine now. Did as you said in your last post and now IE starts up Ok and no warning messages. New log is attached. I have a couple of questions if you don't mind, firstly what was the problem I had? Secondly, very much appreciate your time and efforts, why do you do this!?
    Thanks again.
     

    Attached Files:

    andrewfmuir, Dec 27, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You log is clean now. You should check this out to help avoid future problems: How to Protect yourself from malware!

    The problem I had you clean up as the remainder of an HSA (Home Search Assistent) hijacker.

    We do this because we have the knowledge to do so, and because we enjoying helping others.
     
    chaslang, Dec 27, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds