Please Help...Browser Highjacked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sharayah, Jun 30, 2004.

  1. Sharayah

    Sharayah Private E-2

    My browser automatically goes to this address (res://nwfsu.dll/index.html#96676) a search engine and I get several pop-ups.



    I D/L SpyKiller 2004 and ran the scan. I then D/L Ad-aware 6.0 and ran that scan. I let it clean everything that showed up and there were numerous items but not the same as the ones listed in SpyKiller. The browser addy still goes to that same address I listed above.



    I D/L all the updates for Windows and for my Virus Software McAfee which came with my Dell Computer, XP is my OS. McAfee does not detect any Virus. I then D/L updates to Ad-aware and ran another scan. It says it is clean but Still the same problem persists. I paid for SpyKiller and let it clean everything it could such as Wild Tangent, WebPl, BDE, and some ProBots. Every time I run a scan with either SpyKiller or Ad-aware new spy ware shows up.



    I looked in regedit and still see these things listed there and also I had a virus awhile back and the files adserve.exe and up.exe are still listed in the registry even though the virus has been cleaned from my pc. Everything that was deleted with SpyKiller and Ad-Aware is sitting listed right there even this nwfsu which is the browser addy that has taken over. I don’t want to delete anything from the registry without checking with someone first.



    I D/L CWShredder and ran it, it didn’t find the coolwebsearch that Ad-aware shows in it’s scan, Ad-aware deletes it but it still comes back.



    I have run HighjackThis and am posting the log, I can see the nwfsu browser address, I am sure I should delete this but will wait to hear back from you. I would be most grateful for any help in cleaning my pc.

    Many Thanks....Sharayah...

    Logfile of HijackThis v1.97.7
    Scan saved at 9:16:15 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\SpyKiller\spykiller.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\system32\nethz32.exe
    C:\WINDOWS\apifp32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Documents and Settings\ALLIE\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nwfsu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nwfsu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nwfsu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {D4D47B87-CDFA-4537-94CC-1ADE3960B29C} - C:\WINDOWS\system32\javaqs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [apifp32.exe] C:\WINDOWS\apifp32.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{68ED3487-8BFE-44B5-9C78-6B7EDD093FD7}: NameServer = 170.147.45.175 170.147.113.54


     
    Sharayah, Jun 30, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 30, 2004
    #2
  3. Sharayah

    Sharayah Private E-2

    TY Chaslang

    Thanks for that link, looks like a lot of work. I will start on it tomorrow after work!....

    Sharayah
     
    Sharayah, Jul 1, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: TY Chaslang

    It's not too bad now that it is written out for you. If you have problems figuring out anything, let us know.
     
    chaslang, Jul 1, 2004
    #4
  5. Sharayah

    Sharayah Private E-2

    Hi Guys,

    I finally have time to sit and go through all these steps but ...This is not very encouraging, I didn't make it past the 4th step!..I typed this in Run ....."notepad C:WINDOWS\system32\ftlsk.dll" (without the quotes) and it said it could not find the file. Now what do I do?

    Sharayah...
     
    Sharayah, Jul 3, 2004
    #5
  6. Sharayah

    Sharayah Private E-2

    OK, so maybe that file is not important and I should go on to the next step??????????.....There are 19 steps in all, please let me know...

    Many Thanks,
    Sharayah
     
    Sharayah, Jul 3, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That 5th step seems to be confusing a lot of people (I'm working on a re-write to clarify the examples).

    The files name in the generic solution were meant to be examples and you are suppose to substitute in the names from your long but that is no longer real clear.

    So assuming your log has not changed due to rebooting (you should verify that it has or has not changed), here is some additional info to point you in the correct direction.

    Your need to enter "notepad C:\WINDOWS\system32\nwfsu.dll" without the quotes in step 5. That is what your R0 & R1 lines from HijaakThis indicated before.

    In step 7, your O2 BHO line was: O2 - BHO: (no name) - {D4D47B87-CDFA-4537-94CC-1ADE3960B29C} - C:\WINDOWS\system32\javaqs.dll

    In step 8, your only O4 line was: O4 - HKLM\..\Run: [apifp32.exe] C:\WINDOWS\apifp32.exe
    but you had one additional process running too: C:\WINDOWS\system32\nethz32.exe

    In step 9, you would have HijaakThis fix:

    O2 - BHO: (no name) - {D4D47B87-CDFA-4537-94CC-1ADE3960B29C} - C:\WINDOWS\system32\javaqs.dll
    O4 - HKLM\..\Run: [apifp32.exe] C:\WINDOWS\apifp32.exe

    In step 10 you would delete the below files:
    C:\WINDOWS\system32\javaqs.dll
    C:\WINDOWS\system32\nethz32.exe
    C:\WINDOWS\apifp32.exe

    and any file found in the Network Security Service (don't forget to leave off the /s as in the instructions).

    In step 12 your lines were:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nwfsu.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nwfsu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nwfsu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nwfsu.dll/sp.html#96676


    See if this helps you get through the procedure. If you notice that your filenames have changed and you cannot figure out what to do. Post your new HijaakThis log and DO NOT reboot your computer until you receive a response from me as the files may change again as soon as you reboot. You can disconnect from the Internet, just don't reboot.
     
    Last edited: Jul 3, 2004
    chaslang, Jul 3, 2004
    #7
  8. Sharayah

    Sharayah Private E-2

    Thank you so much for clearing that up Chaslang ....Hugggs ya....

    Sharayah
     
    Sharayah, Jul 3, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You know there may now be a shorter solution that you can try. It is called HSremove. Some people have been having luck using it to solve the problem. If you want to try it, instead of the long solution, download it here: http://www.majorgeeks.com/download4286.html

    Note:it is a USE AT YOUR OWN RISK solution.
     
    chaslang, Jul 3, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 3, 2004
    #10
  11. Sharayah

    Sharayah Private E-2

    Hi Chaslang,

    I had already started the process before I saw your last post. I went through each of the steps and am posting my last log to you. I hope my pc is clean... if not, I'm sure you will let me know. I sure can tell you I've learned a lot in this little venture.....Thank you for all your time and effort I really do appreciate you as I'm sure all the other ppl your helping do as well. This is a great forum and I've told everyone all about it and U....*s...When I see the man who sent me here, he gets the biggest hug of all!...
     
    Sharayah, Jul 4, 2004
    #11
  12. Sharayah

    Sharayah Private E-2

    Here is my last log.....

    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:20 PM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
    C:\Documents and Settings\ALLIE\Desktop\Cleaners\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {D347A63E-D453-8011-9CE5-A8289CC2E209} - C:\WINDOWS\appzf32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
     
    Sharayah, Jul 4, 2004
    #12
  13. Sharayah

    Sharayah Private E-2

    Chaslang I can't believe it!!!!!....I was about to call it a night after my last two posts to you and I decided to go to Internet Options for the heck of it and make sure my home page was still set right...It WASN'T!!!!....The darn thing is back ..just with a different name!!! (kbdfp.dll)....I have to do it all over again???....I didn't even go anywhere or do anything, why is it back?!....*holds head*....here is my new log...I will have to work on it again tomorrow. I guess at least this time I know what I'm doing but I'm confused to as why it is back...I read your post about the other software but I'd rather do it this way...

    Thanks for bearing with me...
    Sharayah

    Logfile of HijackThis v1.97.7
    Scan saved at 12:32:02 AM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\sysmi.exe
    C:\WINDOWS\system32\ieip.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ALLIE\Desktop\Cleaners\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbdfp.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kbdfp.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kbdfp.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbdfp.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kbdfp.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kbdfp.dll/sp.html#96676
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {D347A63E-D453-8011-9CE5-A8289CC2E209} - C:\WINDOWS\appzf32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [ieip.exe] C:\WINDOWS\system32\ieip.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{68ED3487-8BFE-44B5-9C78-6B7EDD093FD7}: NameServer = 170.147.45.175 170.147.113.54
     
    Sharayah, Jul 4, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It probably had mutated before you started to fix it. I noticed in you log just after you fixed it the following:

    O2 - BHO: (no name) - {D347A63E-D453-8011-9CE5-A8289CC2E209} - C:\WINDOWS\appzf32.dll

    This means it already had a different hijacker than when you started to work on.
     
    chaslang, Jul 4, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm looking at your log now. Hang on for awhile longer. DO NOT REBOOT!!!!
    I'll post more information in a few minutes. By the way I update the Generic Procedures to try to clarify some steps.
     
    chaslang, Jul 4, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here are the lines of concern in your newest HijaakThis log:

    C:\WINDOWS\sysmi.exe
    C:\WINDOWS\system32\ieip.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbdfp.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kbdfp.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kbdfp.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbdfp.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kbdfp.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kbdfp.dll/sp.html#96676

    O2 - BHO: (no name) - {D347A63E-D453-8011-9CE5-A8289CC2E209} - C:\WINDOWS\appzf32.dll
    O4 - HKLM\..\Run: [ieip.exe] C:\WINDOWS\system32\ieip.exe
    O4 - HKLM\..\RunOnce: [sysmi.exe] C:\WINDOWS\sysmi.exe


    Do you think you know how to use this information in the Generic Solution by yourself, or do you need help?

    Remember to always shutdown (not minimize) all applications especially IE before running HijaakThis. You last log showed IE running.

    Make sure you follow the procedure exactly. It is very important to not be connected to the Internet as I stated in the procedure.
     
    Last edited: Jul 4, 2004
    chaslang, Jul 4, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh well. I see you have logged off. You'll need to double check you HijaakThis log again after booting up the next time to see if anything has changed or been added. If you don't get everything it is going to keep coming back.

    Don't forget you can still try the HSremove method. If you do decide to use HSremove:
    1) first download it to your system but do not run.
    2) disconnect from the internet
    3) make sure system restore is disabled
    4) boot in safe mode
    5) run HSremove
    6) boot normal
    7) connect to internet
    8) post results (success or failure)
     
    chaslang, Jul 4, 2004
    #17
  18. Sharayah

    Sharayah Private E-2

    Happy 4th of July Chaslang!!...

    Second time was a charm, I knew what to do so it went faster. The log looks good to me.. but your the expert so I will wait to hear from you on the "all is clear", so I can put my system back into recovery mode. I did reboot several times and it still looks good. Thank you soooo much for all your help. I will visit here often.....

    Many Thanks,
    Shara

    Logfile of HijackThis v1.97.7
    Scan saved at 11:40:21 AM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\ALLIE\Desktop\Cleaners\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
     
    Sharayah, Jul 4, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shara, Happy 4th!

    Your welcome! I'm happy things worked out. You probably learned more about your PC doing the longer method too. What do you think?

    Log is looking good. Have you reset your home page to something useful and is that working okay. Yes! Enable your system restore now. You should manually create a check point. Read this: http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx

    Scroll down to the section titled: Create Restore Points Manually
     
    chaslang, Jul 4, 2004
    #19
  20. Sharayah

    Sharayah Private E-2

    Hi Chaslang,

    I did learn a lot by doing it the long way and I'm very grateful to you for making it so easy! I'm not so hesitant to manuever around in my pc as I was when I first started...Everything seems to be running fine, my home page is set and hasn't changed. I am going to read that last link about creating a check point...I have all these programs now that I never had before or even knew about ..so I will try to keep my pc clean...again, thank you sooo much!..

    Have a great 4th, I will think of you when i bite into my first piece of watermellon (after the hamburger of course). I know there are many people here who need your help ...but...get off your pc and have some funnnn today!...*winks*

    Hugs ya,
    Shara
     
    Sharayah, Jul 4, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shara,

    To help you stay clean look into the follow (some you have already).

    How to protect yourself and things to have (copied from Xflat)

    Anti Virus
    http://majorgeeks.com/download1968.html Avast
    http://majorgeeks.com/download886.html AVG
    The top two hands down. Beat the heck out of Norton or McAfee (garbage)
    Only run ONE AV!!!!!

    Firewall
    Don't care if your on dial up or High Speed....you must have a firewall
    http://majorgeeks.com/download738.html Kerio
    http://majorgeeks.com/download3356.html Sygate

    Temp File/Cookies/index.dat cleaner
    http://majorgeeks.com/download4191.html

    SpyWare Prevention Notice I did not say scanner...yet
    http://majorgeeks.com/download2859.html SpyWare Blaster...
    http://majorgeeks.com/download3045.html SpyWare Guard....

    SpyWare Scanners/Removers
    http://majorgeeks.com/download2471.html SpyBot ( I don't activate the TeaTimer)
    http://majorgeeks.com/download506.html AdAware
     
    chaslang, Jul 4, 2004
    #21
  22. Sharayah

    Sharayah Private E-2

    Chaslang,

    I will look into all those links, thank you very much! You know that one Virus Software, AVG...I d/l it before I started all this and when I went to install it I couldn't...It said it couldn't be installed because of 16 bit something or other, I don't remember the error now....I will try installing it again...I have to go for now as the holiday is starting...

    Many Thanks & Hugs...
    Shara
     
    Sharayah, Jul 4, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay Shara,

    Your welcome. Enjoy the holiday. Talk to ya later.

    Chas
     
    chaslang, Jul 4, 2004
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds