netspry and ads234

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by layeni, Oct 4, 2004.

  1. layeni

    layeni Private E-2

    Hi there:

    My browser is getting hijacked by the infernal netspry. Also, from time to time I get a security warning that says "the current web page is trying to open a site in your trusted sites list" for ads234.

    I have religiously followed your instructions in the "do not post until you have read this" section, downloading and scanning/cleaning everything listed in safe mode. My windows update is current. I read the link to Pest Patrol about netspry, and I didn't find any of those files or registry entries on my computer.

    When I did the trendmicro scan it found and deleted
    java bytever.a-1
    html zerolin.c
    html hmtredir.a
    troj stilen.a

    The other scans didn't find anything. I also ran hijack this and deleted a couple of things that were listed (on the references you provided) as adware components. But the problem persists.

    I have exhausted my (shallow) level of computer knowledge, any help you can provide would be very much appreciated. I could send you a copy of my hijack this log if that would help. Thanks.
     
    layeni, Oct 4, 2004
    #1
  2. Kodo

    Kodo SNATCHSQUATCH

    attach your log to a post please.
     
    Kodo, Oct 4, 2004
    #2
  3. layeni

    layeni Private E-2

    here you go, thanks again for your time
     

    Attached Files:

    layeni, Oct 4, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 4, 2004
    #4
  5. layeni

    layeni Private E-2

    hello:

    peperfix didn't find anything. I also ran memorywatcher. Here's the latest hjt log

    thanks
     

    Attached Files:

    layeni, Oct 4, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If the two items that I asked you to run in my previous message did not fix those strange file names. Here are the next steps:

    Make sure System Restore is disabled and viewing of hidden files is enabled.
    Boot into safe mode.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. If you see any of the following processes and End them:
    nwFX.exe
    Gp2bKD.exe
    xP2.exe
    dclqp.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\a8mMdEm.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [xP2] C:\winnt\temp\xP2.exe
    O4 - HKLM\..\Run: [dclqp] C:\WINNT\dclqp.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\RkmrXhf2.exe
    O4 - HKLM\..\Run: [nwFX] C:\documents and settings\owner\local settings\temp\nwFX.exe
    O4 - HKLM\..\Run: [Gp2bKD] C:\documents and settings\owner\local settings\temp\Gp2bKD.exe
    O4 - HKLM\..\Run: [Gp2bKD.exe] C:\documents and settings\owner\local settings\temp\Gp2bKD.exe
    O4 - HKLM\..\Run: [nwFX.exe] C:\documents and settings\owner\local settings\temp\nwFX.exe

    Use Windows Explorer to delete the following:
    C:\Documents and Settings\Owner\Local Settings\Temp\a8mMdEm.dll
    C:\documents and settings\owner\local settings\temp\nwFX.exe
    C:\documents and settings\owner\local settings\temp\Gp2bKD.exe
    C:\documents and settings\owner\local settings\temp\nwFX.exe

    Then empty your recycle bin and also look for these file names in c:\winnt\Prefetch and delete them if found.
    Now boot normal mode and tell us how things are working and post a new log.
     
    chaslang, Oct 4, 2004
    #6
  7. layeni

    layeni Private E-2

    ah, sweet clean computer happiness...

    the sites that were provoking the hijacks seem to be working correctly now. I am attaching my updated hjt log, please let me know if there is anything else I should do.

    (just think of how much better life would be if everyone spent some amount of their own time helping people they don't know. I'm passing it along by doing a pro bono job in my own field [translation] for someone that really needs it)

    thanks again.
     

    Attached Files:

    layeni, Oct 4, 2004
    #7
  8. layeni

    layeni Private E-2

    oh and one other thing...is it OK to re-enable my system restore?
     
    layeni, Oct 4, 2004
    #8
  9. Kodo

    Kodo SNATCHSQUATCH

    looks good :)
    You can enable sys restore again.
     
    Kodo, Oct 4, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As Kodo said Layeni, your log looks good and system restore can be enabled but please make sure you go thru a couple of reboots first to make sure you are really clean.

    Good job!
     
    chaslang, Oct 4, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds