popup problems and browser hijack - please assist

Discussion in 'adware, spyware & hijack cleaning' started by ronron, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. ronron

    ronron Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    1
    Hi
    I have Ad-aware 6 and spybot 1.3 both update. I also had spywareblaster but it stop working and give a massage “This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it”. Trying to reinstall faild.
    When operating Ad-aware 6 I always find a subspecies run process in windows or system32 library. Ad-aware fail to remove it and when I remove it manually by stop the process and delete the file, Ad-awere always find a new process run again in different name. All the files are from the company coolWebsearch. In above all my browser always open in this adrres “res://tpzhu.dll/index.html#96676” no matter what I will set in the “Internet option” on my browser. I got a lot of popup massages that said that my computer infect by spy SW +giving my fix IP and suggest me to buy SW against Spy SW and so on…
    I attach the log of hijackthis. Please assist me to solve this problem.
    Thanks
    Ron
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Logfile of HijackThis v1.97.7
    Scan saved at 15:08:15, on 24/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\crig.exe
    C:\WINDOWS\system32\winbd32.exe
    C:\Documents and Settings\Owner\My Documents\Ron\protect\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tpzhu.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tpzhu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tpzhu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8D48267B-92A9-5684-83DC-0E47E94F8B80} - C:\WINDOWS\system32\mskb32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\he-il\msntb.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [ntco32.exe] C:\WINDOWS\system32\ntco32.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [winbd32.exe] C:\WINDOWS\system32\winbd32.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [ipvb32.exe] C:\WINDOWS\system32\ipvb32.exe
    O4 - HKLM\..\RunOnce: [ntqd32.exe] C:\WINDOWS\system32\ntqd32.exe
    O4 - HKLM\..\RunOnce: [crig.exe] C:\WINDOWS\crig.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.mt-download.com
    O15 - Trusted Zone: http://*.xxxtoolbar.com
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt0_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38123.5372685185
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {B91AE818-6545-49F6-8C05-6F7C608F6666} (SpeaK Control) - http://www.macron.co.il/SpeaKProj1.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi ronron,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\crig.exe
    C:\WINDOWS\system32\winbd32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tpzhu.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tpzhu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tpzhu.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tpzhu.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {8D48267B-92A9-5684-83DC-0E47E94F8B80} - C:\WINDOWS\system32\mskb32.dll

    O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [ntco32.exe] C:\WINDOWS\system32\ntco32.exe

    O4 - HKLM\..\Run: [winbd32.exe] C:\WINDOWS\system32\winbd32.exe

    O4 - HKLM\..\RunOnce: [ipvb32.exe] C:\WINDOWS\system32\ipvb32.exe
    O4 - HKLM\..\RunOnce: [ntqd32.exe] C:\WINDOWS\system32\ntqd32.exe
    O4 - HKLM\..\RunOnce: [crig.exe] C:\WINDOWS\crig.exe
    O4 - Startup: PowerReg Scheduler V3.exe

    O15 - Trusted Zone: http://*.mt-download.com
    O15 - Trusted Zone: http://*.xxxtoolbar.com

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...iker/wtinst.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\tpzhu.dll
    C:\WINDOWS\system32\mskb32.dat
    C:\WINDOWS\crig.exe
    C:\WINDOWS\system32\winbd32.exe
    C:\WINDOWS\system32\inetsrv\services.exe
    C:\WINDOWS\system32\drivers\csrss.exe

    Also read here for any additional repairs that might be necessarÿ:
    https://www.wilderssecurity.com/showpost.php?p=198412&postcount=26

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.