Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP! browser changes also have the smitfraud.c


  • Please log in to reply

#1
cindun

cindun

    New Member

  • Member
  • Pip
  • 1 posts
:tazz: Please help. I am about at my wits end here. i have ran many programs but still I am having problems. My browser is hijacked and possible other things but . . .

Here is a current hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:53 PM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\msmr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\javaie.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://government.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1A0DC0EF-7DEF-92DA-6241-3E7CFC5F61EB} - C:\WINDOWS\netne32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [msmr32.exe] C:\WINDOWS\msmr32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [netne32.exe] C:\WINDOWS\netne32.exe
O4 - HKLM\..\RunOnce: [javaie.exe] C:\WINDOWS\system32\javaie.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111604528046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://app.co.stark....iator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A99D800B-1049-4098-B846-21B5148B7AAE}: NameServer = 172.19.40.10
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ieob32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I would appreciate any help on what i need to do to get this machine working!!

Thanks very much in advance for your help,

jp ;)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi cindun and Welcome to G2G!!

Thats a nasty CWS Infection you have there!!

Copy these Instructions to Notepad and Save them to your Desktop,you will need them in Safe Mode!

Please Download these utilities but dont run them until I ask you to!

CWShredder
http://cwshredder.ne.../CWShredder.exe

Double Click CWShredder.exe to run it>>Click Check Check For Update
Close it out once updated,We will run it in Safe Mode!

cwsserviceremove.reg
http://forums.techgu...achmentid=45240

ABout Buster
http://www.besttechi...?showtopic=1488

Follow the Instructions inside the link to Update it,We will run it it Safe Mode!

CleanUp!
http://www.geekstogo...=download&id=49

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Once in Safe Mode>>ClickStart>>Click Run>>Copy&Paste the Bold Print below in to the Open Box and Click OK!

sc stop Network Security Service (NSS)
and
sc delete Network Security Service (NSS)


regsvr32 /u netne32.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\netne32.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gpebp.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1A0DC0EF-7DEF-92DA-6241-3E7CFC5F61EB} - C:\WINDOWS\netne32.dll

O4 - HKLM\..\Run: [msmr32.exe] C:\WINDOWS\msmr32.exe

O4 - HKLM\..\RunOnce: [netne32.exe] C:\WINDOWS\netne32.exe

O4 - HKLM\..\RunOnce: [javaie.exe] C:\WINDOWS\system32\javaie.exe

O9 - Extra button: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EDC03FC5-FA78-4694-AD0A-5A1BC8E4654F} - (no file) (HKCU)

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ieob32.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run CWShredder

Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit"

Run ABout Buster just as described in the link!

Please run it until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Double-click the cwsserviceremove.reg file you downloaded at the beginning.
Answer "Yes"when prompted to add the contents to the registry.

Run CleanUp!

Click on the "CleanUp!" Tab and let it do its thing!


Locate and Delete:

C:\WINDOWS\system32\gpebp.dll<< File only!

C:\WINDOWS\netne32.dll<< File only!

C:\WINDOWS\msmr32.exe<< File only!

C:\WINDOWS\netne32.exe<< File only!

C:\WINDOWS\system32\javaie.exe<< File only!

Please Keep a list of any files not found or that couldnt be deleted and make sure to list those in the next post!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab:
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart in Normal Mode and Have the PC scanned here:
http://www.pandasoft...n_principal.htm

You will need to be using Internet Explorer for the Scan to work!

Once thats complete,Scan the PC with HijackThis again,Post those results along with the Results from the Online Scan!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP