Browser hijack problem please help

Discussion in 'adware, spyware & hijack cleaning' started by carrie, May 4, 2004.

Thread Status:
Not open for further replies.
  1. carrie

    carrie Registered Member

    Joined:
    May 4, 2004
    Posts:
    1
    I got a browser hijack that I've partially fixed, but there is a recurring problem where every hour or so a new browser window pops up. It seems to be from two programs that were added to my system called dl.exe and dlm.exe. When I try and delete those programs, it says they are running. When I try and invoke my Task Manager to stop them running, the window doesn't stay up (it just flashes on the screen and then goes away). I ran Ad-are and Spybot, and have run the hijackthis program and the log follows. I see the programs that are causing the problem - they say Dial 32 and Dial 33 after them. Is it okay to mark those 2 and say 'Fix'? How do I get my Task Manager to stay on the screen? It seems it has been disabled somehow?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:06:39 PM, on 5/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\WINDOWS\dlm.exe
    C:\WINDOWS\dl.exe
    C:\WINDOWS\System32\MSCONFIG32.EXE
    C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
    C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\ACT\SideACT.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    c:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Karen Clothier\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
    F0 - system.ini: Shell=explorer.exe nstask32.exe
    F2 - REG:system.ini: Shell=explorer.exe nstask32.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
    O4 - HKLM\..\Run: [NDplDeamon] nstask32.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
    O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - HKCU\..\RunOnce: [NDplDeamon] nstask32.exe
    O4 - HKCU\..\RunOnce: [MSConfig] MSCONFIG32.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
    O4 - Global Startup: webdav.exe
    O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
    O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083604024196
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.6938888889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://ecommerce.polygon.net/CFIDE/classes/CFJava.cab


    Thanks,
    -Carrie
     
  2. flrman1

    flrman1 Spyware Fighter

    Joined:
    Apr 11, 2004
    Posts:
    41
    Location:
    North Carolina
    Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

    When it is finished restart your computer.

    IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

    The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

    Now start your computer in safe mode. To start you computer in safe mode, turn off the computer for 30 seconds and then power up. On the first screen that appears begin tapping the F8 key repeatedly until you get to the Boot menu. Use the Up and Down arrow keys to select "Safe Mode" and hit the Enter key.


    In safe mode run Hijack This again and put a check by any of these that are left. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

    F0 - system.ini: Shell=explorer.exe nstask32.exe

    F2 - REG:system.ini: Shell=explorer.exe nstask32.exe

    O4 - HKLM\..\Run: [NDplDeamon] nstask32.exe

    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe

    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe

    O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

    O4 - HKCU\..\RunOnce: [NDplDeamon] nstask32.exe

    O4 - HKCU\..\RunOnce: [MSConfig] MSCONFIG32.EXE

    O4 - Global Startup: webdav.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe


    Next, while still in safe mode, click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Then find and delete:

    The C:\WINDOWS\dlm.exe file
    The C:\WINDOWS\dl.exe file
    The C:\WINDOWS\System32\MSCONFIG32.EXE file
    The C:\WINDOWS\System32\nstask32.exe file
    The C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe file

    Boot back to normal.
     
Thread Status:
Not open for further replies.