Not sure if it's a trojan but..

Discussion in 'malware problems & news' started by Emosem, Aug 4, 2004.

Thread Status:
Not open for further replies.
  1. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    Hey- thanks for any help, in advance.
    I've got this trojan / hijack or something on my browser. It's changed my homepage to this: res://kbzgw.dll/index.html#96676 and is coupled with spyware in the form of popups. I've done hijackthis etc, found it to be this BHO: O2 - BHO: (no name) - {7F33EE95-71F6-CC46-9B9F-9B4D5BE2D80B} - C:\WINDOWS\d3fr32.dll
    and this is suspect too: O4 - HKLM\..\Run: [mfcpv32.exe] C:\WINDOWS\mfcpv32.exe..
    I've tried to remove them, but they are constantly reinstalled. I've got 2 programs (ShoppingWizard and SearchExtender) in my add/remove programs registry, but I cant uninstall them..when I try to remove, I get an error that it can't load "http://looking-for.cc/uninstall/shoppingwizard.html".
    That's as comprehensive as I can be. Its also of note that if I reset my homepage / settings, they are immedietly reversed to the aforementioned, and spywareguard completely misses it. Also, if I type any address without the www. prefix, IE adds a # before the url and directs me to another page similar to the spyware-ridden first. Example- wilderssecurity.com turns out as #wilderssecurity.com and 15 pop ups. Rather annoying.
    Thanks again.
     
    Last edited: Aug 4, 2004
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Emosem, have you tried running Spybot Search 'n' Destroy? some spywares requires the uninstaller to be downloaded from a webpage. probably thats why the page was being loaded. there has been some change in policy regarding HJT log cleaning so i can't tell you more.
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Emosem, and welcome to Wilders.

    What you have is one of the newer, and nastier variants of CoolWebSearch, which involves using specific removal tools, posting a hijackthis log, and step-by-step instructions by someone experienced in removing this type of hijacker.

    As AMRX has mentioned above, we no longer provide this type of system cleaning service, but you can find a list of other security sites that do provide HijackThis log analysis at this link: http://a-sap.org/

    Whichever site you decide to go to, please be sure and follow their posting policy before you post your hijackthis log.

    Regards,

    snap
     
  4. Emosem

    Emosem Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    4
    Well that's good news that it's identified, but then bad news twice. Thanks for the info though. Curious: Why the exodus from helping with problems like this? I'd guess it's time consumption, but eh..I'm sure there's a good reason. Thanks anyway.
     
Loading...
Thread Status:
Not open for further replies.