Adware problem

  moso 00:23 11 Dec 04
Locked

My IE home page has been hijacked by an advertisement page that intermittently fires pop-ups. Norton Internet Security 2004 tells me that I have two Adware.Iefeats [each in a separate file - netdn32.dll and swidkj.dat]and also Adware.Main Search in gsysmqq.dll. Norton cannot delete these.

I have downloaded the file from Symantec that is said to get rid of Adware.Iefeats but it cannot identify it. I have followed instructions for manual removal to no avail. Similarly I have tried to remove Adware.Main Search manually by following Symantec's instructions but again to no avail.

I can't identify these files by doing a search in Windows Explorer. Spybot and Ad-Aware don't help either.

Is there anyone out there who can help me. I am a novice.

Moso

  VoG II 00:31 11 Dec 04

Please post a HJT log click here

You may need to post a few lines at a time because this site limits you to 800 words per post. Also, please double-space it bu adding a blank line every other line.

  moso 00:11 12 Dec 04

I'm having trouble getting the HJT log. I follow the instructions and download HijackThis and start the scan but after around 5 seconds the HJT window vanishes. Around 10 lines of text are produced before the window vanishes and the scan button does not change to Save Log.

  DoctorButcher 09:09 12 Dec 04

Try this click here

  VoG II 14:15 12 Dec 04

click here and look at "CWShredder or HijackThis closes immediately after opening? "

Download the CoolWWWSearch.SmartKiller removal tool and run it. HijackThis should then run properly.

  moso 00:53 17 Dec 04

I've finally managed to get the HJT log. I'm sending it in two postings:

Logfile of HijackThis v1.97.7
Scan saved at 00:28:02, on 17/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\McAfee\QuickClean\PlgUni.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Intense Language Office\COMMON\Offman.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\MLC\Local Settings\Temporary Internet Files\Content.IE5\CP6BWD6F\HijackThis[1].exe

C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <none>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\MLC\LOCALS~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = click here

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

  compaq1234567890 01:56 17 Dec 04

If you are using windows xp go to the start menu and then click on the search button . Once on the search window click on search all files and folders and then put in the name of the adware .So you would go start , search , search all files and folders and then put in netdn32.dll and then click search . Once the result has come up simpily press delete and this should solve your problem .

Hope this helps!

  GANDALF <|:-)> 09:11 17 Dec 04

You need to empty all your temp files as the problems are mainly in there. Download Ccleaner from click here it and delete everything it finds. Turn off system restore and run Adaware from click here Run Ccleaner again. You could also run spybot from click here

Then turn system restore back on.

G

  moso 17:42 17 Dec 04

Here is the next seqof the HJT log:


O2 - BHO: (no name) - {2E50AB34-1C5E-4A37-8C15-62A6AF24AA1E} - C:\WINDOWS\qsysmsgq.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK

O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\PlgUni.exe" /START

O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN

O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\matr26\1065984.exe -remove

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe

O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

  moso 17:47 17 Dec 04

Here is the final sequence of the HJT log:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {10000001-1001-1001-1000-000000000000} - file://C:\Program Files\Internet Explorer\KvsEni.exe

O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - click here

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - click here

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - click here

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - click here

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - click here

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - click here

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - click here

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - click here

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - click here

O17 - HKLM\System\CCS\Services\Tcpip\..\{A11F12AD-5D92-4572-93D6-A1429841FD3E}: NameServer = 213.120.62.97 213.120.62.104

  Nellie2 19:31 17 Dec 04

Download FxAgentB.exe from click here and save it to your desktop. After downloading, double-click the FxAgentB file to run it and the program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later. Reboot when done.

Next click click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'.
Then click click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file.

Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done,

Delete the version of hijackthis that you have (It is very out of date) and replace it with version 1.99.0 available here click here Rescan with HijackThis and post a new log here, together with the FxAgentB log.

If you have problems with the new version (there have been reports of it crashing etc) then you can still get version 1.98.2 click here Please make sure you extract it from the zip file into it's own folder before running it.

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…