browser hijack - processes keep reappearing

Discussion in 'adware, spyware & hijack cleaning' started by JRN, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. JRN

    JRN Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    4
    My homepage keeps getting set to res://nmvwn.dll/index.html#27063, and there are several processes/files that keep reappearing after I end/delete them.

    I've run ad-aware and spybot several times, but certain things keep showing up. Spybot also keeps warning me "System Startup global entry - Value added".

    The files involved keep changing names, but ievt.exe and mfccx32.exe are two of the more common ones.

    Here is my HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 1:53:09 PM, on 7/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\hijackthis\HijackThis.exe
    C:\WINDOWS\system32\winjz32.exe
    C:\WINDOWS\mfchx32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nmvwn.dll/sp.html#27063
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://nmvwn.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nmvwn.dll/index.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nmvwn.dll/sp.html#27063
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nmvwn.dll/sp.html#27063
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://nmvwn.dll/index.html#27063
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {19A73732-1F85-26F6-C172-27E2A9BAC68E} - C:\WINDOWS\crms.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winjz32.exe] C:\WINDOWS\system32\winjz32.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKLM\..\RunOnce: [ievt.exe] C:\WINDOWS\ievt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/305b24d9af6b3bfe8d05/netzip/RdxIE601.cab

    Thanks in advance for any help you can provide.
     
    Last edited: Jul 13, 2004
  2. JRN

    JRN Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    4
    Can someone please take a look at my HijackThis log. I first posted it 4 days ago.
     
  3. JRN

    JRN Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    4
    Help anyone?
     
  4. JRN

    JRN Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    4
    Any moderators reading this?
     
    Last edited: Jul 13, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.