• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
iainzx

browser hijacked !

6 posts in this topic

just become another victim. i've done all the FAQ stuff to the best of my v. limited ability. done the lava and spybot thing - they appear to 'clean' but it all just reappears when i switch on again. ran cw shedder and it does not pick anything up - yes its up to date.

i have the following picked up by scan only software by xoftspy

coolwebsearch

winpup.32

cws.oslogo

bat/mumu-A

cws.mrhop

savenow

all these are identified as malware with the exception of savenow which it cat's as a data miner

 

below is my hijackthis log

can you help ?

 

Logfile of HijackThis v1.97.7

Scan saved at 11:22:02, on 27/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\winqs32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE

C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\System32\dslagent.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqWRG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\mfcae32.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\iain Walker\My Documents\My Download files\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afpvb.dll/sp.html#35759

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://afpvb.dll/index.html#35759

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://afpvb.dll/index.html#35759

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\afpvb.dll/sp.html#35759

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://afpvb.dll/index.html#35759

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\afpvb.dll/sp.html#35759

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6BFF9B92-3016-5346-D92F-607FAF27C19B} - C:\WINDOWS\netbq.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING

O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HPpromo psc 2175] "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqWRG.exe" /N "psc 2175" -r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mfcae32.exe] C:\WINDOWS\mfcae32.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\IAINWA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O4 - HKLM\..\RunOnce: [winux32.exe] C:\WINDOWS\winux32.exe

O4 - HKLM\..\RunOnce: [crsh.exe] C:\WINDOWS\system32\crsh.exe

O4 - HKLM\..\RunOnce: [javahc32.exe] C:\WINDOWS\system32\javahc32.exe

O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\system32\mfctj.exe

O4 - HKLM\..\RunOnce: [msys.exe] C:\WINDOWS\system32\msys.exe

O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\8P1DO9BO\FOOTER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\8P1DO9BO\HEADER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\KD4FH2GI\READER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\Q9SBCVEX\INDEX_~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\KD4FH2GI\SECURE~1.SH!

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{0C8E87E5-B7DA-49F1-8C4C-C24C37408E06}: NameServer = 194.74.65.68 194.72.9.39

Share this post


Link to post
Share on other sites

Download About:Buster by RubbeR DuckY from

 

http://www.atribune.org/downloads/AboutBuster.zip

 

Then Unzip it to your desktop. Do not run it yet. Print these directions or paste them into a text document as you will be running with your internet explorer closed. Restarting internet explorer may cause a reinfection.

 

Run another hijackthis scan place a check next to the following entries.

O2 - BHO: (no name) - {6BFF9B92-3016-5346-D92F-607FAF27C19B} - C:\WINDOWS\netbq.dll

O4 - HKLM\..\Run: [mfcae32.exe] C:\WINDOWS\mfcae32.exe

O4 - HKLM\..\RunOnce: [winux32.exe] C:\WINDOWS\winux32.exe

O4 - HKLM\..\RunOnce: [crsh.exe] C:\WINDOWS\system32\crsh.exe

O4 - HKLM\..\RunOnce: [javahc32.exe] C:\WINDOWS\system32\javahc32.exe

O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\system32\mfctj.exe

O4 - HKLM\..\RunOnce: [msys.exe] C:\WINDOWS\system32\msys.exe

Then close all windows and click the fix checked button. Now startup About:Buster. Hit ok on the first prompt and then hit start. Next hit ok. Wait till the scan completes and copy the report and save it somewhere. Rerun About:Buster to make sure everything was deleted. Then restart your computer.

 

It is now safe to reopen Internet explorer. Please post a new hijack this log along with a report.

Share this post


Link to post
Share on other sites

ok it seems to have worked i have my home page back on internet explorer

I've also downloaded opera having had a look at your site, looks good so may well go to that in future

the logfile is attached as requested

Logfile of HijackThis v1.97.7

Scan saved at 20:57:02, on 27/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE

C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\gsicon.exe

C:\WINDOWS\System32\dslagent.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqWRG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\BT Broadband\Help\bin\mpbtn.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\iain Walker\My Documents\My Download files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index_new_002.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {263D8EC6-3994-13AE-F18C-F072FE879294} - C:\WINDOWS\system32\ntfg32.dll (file missing)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING

O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HPpromo psc 2175] "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqWRG.exe" /N "psc 2175" -r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\IAINWA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\8P1DO9BO\FOOTER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\8P1DO9BO\HEADER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\KD4FH2GI\READER~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\Q9SBCVEX\INDEX_~1.SH! C:\DOCUME~1\IAINWA~1\LOCALS~1\TEMPOR~1\Content.IE5\KD4FH2GI\SECURE~1.SH!

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

Share this post


Link to post
Share on other sites

Have hijacktis fix this entry.

O2 - BHO: (no name) - {263D8EC6-3994-13AE-F18C-F072FE879294} - C:\WINDOWS\system32\ntfg32.dll (file missing)

 

Everything else looks good.

 

You should read this to help prevent future problems.

 

So how did I get infected

Share this post


Link to post
Share on other sites

job done, thanks again. now using the opera browser after your sites recomendations even parted with the forty odd USD to get the full version minus the ads - already prefer the interface to MSIE - there is a world outside if Bill's Gate's. nice one !

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0