• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Hubert

res://furnu.dll/index.html#96676

11 posts in this topic

Hi

I've been using Adware, HjT, and SpySweeper (all been updated 2day) to scan and re-scanning my PC for the last couple of days trying to get rid of this annoying malware, but everytime I reset it seems to change to another name. Pls tell me how I can get rid of this once and for all.

 

Any help will be greatly appreciated. thx

 

====================

 

Logfile of HijackThis v1.97.7

Scan saved at 7:22:59 PM, on 6/28/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

D:\WINDOWS\System32\inetsrv\inetinfo.exe

D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

D:\Program Files\Norton AntiVirus\navapsvc.exe

D:\WINDOWS\System32\tcpsvcs.exe

D:\WINDOWS\System32\snmp.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\apipa32.exe

D:\WINDOWS\System32\wuauclt.exe

D:\WINDOWS\system32\sdkym.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\sdkym.exe

D:\HijackThis\HijackThis.exe

D:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

D:\WINDOWS\System32\dllhost.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\furnu.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://furnu.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://furnu.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\furnu.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://furnu.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\furnu.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C087B81B-0D79-CD2A-7B75-D54064604F8F} - D:\WINDOWS\netqb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [apipa32.exe] D:\WINDOWS\apipa32.exe

O4 - HKLM\..\RunOnce: [sdkym.exe] D:\WINDOWS\system32\sdkym.exe

O4 - HKLM\..\RunOnce: [javaej32.exe] D:\WINDOWS\system32\javaej32.exe

O4 - HKLM\..\RunOnce: [ntle.exe] D:\WINDOWS\system32\ntle.exe

O4 - HKLM\..\RunOnce: [appkd32.exe] D:\WINDOWS\system32\appkd32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: starter.lnk = D:\WINDOWS\system32\starter.exe

O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AOL Instant Messenger (SM) (HKLM)

O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9A1C510-D5AB-4C3E-BD97-9D1688FAA5DC}: NameServer = 203.31.48.7 203.56.186.7

 

===============================

Share this post


Link to post
Share on other sites

I'd like to check starter.exe isn't a virus.

Go to TrendMicro and perform an online virus scan. Let it fix anything that it finds. Do the same at Pandasoftware.

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

 

O2 - BHO: (no name) - {C087B81B-0D79-CD2A-7B75-D54064604F8F} - D:\WINDOWS\netqb.dll

 

O4 - HKLM\..\Run: [apipa32.exe] D:\WINDOWS\apipa32.exe

O4 - HKLM\..\RunOnce: [sdkym.exe] D:\WINDOWS\system32\sdkym.exe

O4 - HKLM\..\RunOnce: [javaej32.exe] D:\WINDOWS\system32\javaej32.exe

O4 - HKLM\..\RunOnce: [ntle.exe] D:\WINDOWS\system32\ntle.exe

O4 - HKLM\..\RunOnce: [appkd32.exe] D:\WINDOWS\system32\appkd32.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

 

Download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

 

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page. Run it again to be sure.

 

Reboot and post a new HijackThis log along with the reports from About:Buster. Check your browser to see if you're cleared. If it comes back we can try it in safe mode.

 

EDIT : got my links mixed up ignore the first set. The ones you see now are the ones to follow.

 

It's late here so I'll check back in in the morning.

Edited by Scoff

Share this post


Link to post
Share on other sites

As cnm has just pointed out, ad-aware is cleaning out the files in safe mode. So if you're still infected..

 

Open Adaware and configure it as follows. In the main window look in the bottom right corner and click on Check for updates now and download the latest reference files. Ad-Aware should be file : v6.0 Build 6.181 and you should have reference file: 01R325 26.06.2004 or later installed.

 

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here.

 

Launch Ad-aware, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT normally to allow it to finish.

 

Then post a fresh HijackThis log.

Share this post


Link to post
Share on other sites

Thank you so much Scoff and cnm,

I finally got rid of that res://<...> thanks to you guys!

pls take a look at my log for the last time...hopefully.

Also, a small problem I'd encountered is everytime I open IE a message popped up (the one about MS FrontPage), I know if I simply stick the MS Office XP CD in it will go away but the problem is I don't want to turn my room upside down to find the CD. I was wondering if there are any quick solution to this problem? if not then I guess I just have to start turning my room upside down.

Thanks again guys!

 

Here's my HJT log please tell me what to delete.

 

======================================

 

Logfile of HijackThis v1.97.7

Scan saved at 9:25:52 PM, on 6/29/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

D:\WINDOWS\System32\inetsrv\inetinfo.exe

D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

D:\Program Files\Norton AntiVirus\navapsvc.exe

D:\WINDOWS\System32\tcpsvcs.exe

D:\WINDOWS\System32\snmp.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\System32\wuauclt.exe

D:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\WINDOWS\System32\msiexec.exe

D:\Program Files\windows media player\wmplayer.exe

D:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: starter.lnk = D:\WINDOWS\system32\starter.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: AOL Instant Messenger (SM) (HKLM)

O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9A1C510-D5AB-4C3E-BD97-9D1688FAA5DC}: NameServer = 203.31.48.7 203.56.186.7

 

======================

Edited by Hubert

Share this post


Link to post
Share on other sites

I'm afraid I don't know the answer to the frontpage problem but i'll ask someone. You might have some tidying up to do!

 

Have you set this to be your default start page?

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

 

Also, your operating system/internet explorer is not up to date, you should go to the windows update page to check for all updates, http://v4.windowsupdate.microsoft.com/en/default.asp download and install all marked "critical".

Share this post


Link to post
Share on other sites

[

Have you set this to be your default start page?

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

]

 

Sorry, not sure what u meant by start page...my homepage is set to www.google.com

Should I have deleted

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

or set that as my homepage...????

Share this post


Link to post
Share on other sites

Sorry, I made a slight mistake there. Its not a start page. I'm just checking on whether its a baddie.

Share this post


Link to post
Share on other sites

Hi Hubert

 

Fix this line with HijackThis

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\WINDOWS\System32/left.html

 

and then delete the file

 

D:\WINDOWS\System32/left.html

 

Make sure you get your windows updates and it looks like you're clean.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0