Not sure if it's a trojan but..

Discussion in 'malware problems & news' started by Emosem, Aug 4, 2004.

Thread Status:
Not open for further replies.
  1. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    Hey- thanks for any help, in advance.
    I've got this trojan / hijack or something on my browser. It's changed my homepage to this: res://kbzgw.dll/index.html#96676 and is coupled with spyware in the form of popups. I've done hijackthis etc, found it to be this BHO: O2 - BHO: (no name) - {7F33EE95-71F6-CC46-9B9F-9B4D5BE2D80B} - C:\WINDOWS\d3fr32.dll
    and this is suspect too: O4 - HKLM\..\Run: [mfcpv32.exe] C:\WINDOWS\mfcpv32.exe..
    I've tried to remove them, but they are constantly reinstalled. I've got 2 programs (ShoppingWizard and SearchExtender) in my add/remove programs registry, but I cant uninstall them..when I try to remove, I get an error that it can't load "http://looking-for.cc/uninstall/shoppingwizard.html".
    That's as comprehensive as I can be. Its also of note that if I reset my homepage / settings, they are immedietly reversed to the aforementioned, and spywareguard completely misses it. Also, if I type any address without the www. prefix, IE adds a # before the url and directs me to another page similar to the spyware-ridden first. Example- wilderssecurity.com turns out as #wilderssecurity.com and 15 pop ups. Rather annoying.
    Thanks again.
     
    Last edited: Aug 4, 2004
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Emosem, have you tried running Spybot Search 'n' Destroy? some spywares requires the uninstaller to be downloaded from a webpage. probably thats why the page was being loaded. there has been some change in policy regarding HJT log cleaning so i can't tell you more.
     
  3. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Emosem, and welcome to Wilders.

    What you have is one of the newer, and nastier variants of CoolWebSearch, which involves using specific removal tools, posting a hijackthis log, and step-by-step instructions by someone experienced in removing this type of hijacker.

    As AMRX has mentioned above, we no longer provide this type of system cleaning service, but you can find a list of other security sites that do provide HijackThis log analysis at this link: http://a-sap.org/

    Whichever site you decide to go to, please be sure and follow their posting policy before you post your hijackthis log.

    Regards,

    snap
     
  4. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    Well that's good news that it's identified, but then bad news twice. Thanks for the info though. Curious: Why the exodus from helping with problems like this? I'd guess it's time consumption, but eh..I'm sure there's a good reason. Thanks anyway.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.