1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware Block MSN site,,,,Help Needed

Discussion in 'Virus & Other Malware Removal' started by chas1025, Nov 15, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. chas1025

    chas1025 Thread Starter

    Joined:
    Nov 15, 2003
    Messages:
    2
    I have had my first experience with nasty spyware. When trying to go to www.msn.com ,,,,ie was hijacked by www.scanthenet.com except that when it went to this site it would still show www.msn.com in the address line. Anytime I tried to type www.msn.com it would show msn in the address, but would always show scan the net.

    From a recommendation from a couple of guys I downloaded adaware and it stopped scan the net from coming up,,,but now I just get a page not found when trying to go to www.msn.com----next I was advised by someone to download hijackthis and post the information found for you guys to help out with,,,,so here it is and thanks in advance if someone can tell me what to do..

    Logfile of HijackThis v1.97.6
    Scan saved at 12:06:58 PM, on 11/15/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Picasa\PicasaMediaDetector.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\E-Color\Common\IconMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sony Handheld\HOTSYNC.EXE
    C:\Program Files\Common Files\Skyscape\smARTupdate.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = @comcast.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 66.98.142.169 auto.search.msn.com
    O1 - Hosts: 66.98.142.169 search.msn.com
    O1 - Hosts: 66.98.142.169 msn.com
    O1 - Hosts: 66.98.142.169 www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [lgfzdfe] "C:\WINDOWS\System32\lgfzdfe.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
    O4 - Global Startup: Event Reminder.lnk = ?
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Sony PDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
    O4 - Global Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://a248.e.akamai.net/v/248/8494/1d/components.viewpoint.com/MSNPromo/MetaStream3.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37610.7025115741
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

    Thanks

    Charles
     
  2. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    With IE open click the Tools menu; Internet Options; Under the Home Page section's Address box, clear the box and the type in http://www.msn.com - Click the Apply button; Click the OK button.

    You've got way too much running at Windows startup.

    Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab. Resources available are displayed as percent there at top. Check it when you get done running the System Configuration Utility mentioned below.

    Click the Start button; Run; type 'msconfig', without the quotation marks, in the Run box and click OK; Then click the Startup tab; Uncheck anything you don't need running in the background. For reference on what's not needed running in the background in the System Configuration Utility, view this website first and print out the list:

    http://www2.whidbey.net/djdenham/Running_items.htm

    It's important that you print out the above mentioned list. The site provides a printer friendly link.

    In the System Configuration Utility (SCU), you can uncheck programs you suspect one at a time and restart your computer. If something doesn't work right, you can always go back into the SCU and re-check it and restart your computer via the Start button. The changes are completely reversible by re-checking an item in SCU or by selecting Normal Startup under the General tab in the SCU and all the programs listed run when Windows starts as it was before you started.

    ***

    You need to be running a firewall like free Sygate from http://download.com - type, sygate, in the Search box, you must be on-line to register Sygate.

    ***

    You might post exactly what programs you have in the Add/Remove Programs Control Panel list box.

    ***

    Go to http://housecall.trendmicro.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm and click the Scan Now link to run a free on-line virus scan.
     
  3. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi chas1025, welcome to TSG.

    You do have some gator stuff there and this looks suspicious:

    O4 - HKLM\..\Run: [lgfzdfe] "C:\WINDOWS\System32\lgfzdfe.exe"


    ....in addition to styxx's recommendation, go here and follow the instructions for downloading and setting up AdAware:

    http://forums.techguy.org/t164245/s.html

    Scan with AdAware and fix whatever it finds.

    Then post your log again, okay?

    :)
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    fix these in Hijackthis then run adaware and the post a new log to check
    O1 - Hosts: 66.98.142.169 auto.search.msn.com
    O1 - Hosts: 66.98.142.169 search.msn.com
    O1 - Hosts: 66.98.142.169 msn.com
    O1 - Hosts: 66.98.142.169 www.msn.com
    O4 - HKLM\..\Run: [lgfzdfe] "C:\WINDOWS\System32\lgfzdfe.exe"
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
     
  5. chas1025

    chas1025 Thread Starter

    Joined:
    Nov 15, 2003
    Messages:
    2
    I would like to thank all of your guys for your help. I tried the software fixes, scan the net reappeared. I then tried Derek's advice on the suspicious reg entries and fixed them through hijack this.

    Now everything seems to work fine. No more scan the net, msn works fine. I will say that finding all of the spyware was an eye opening experience. I will definitely hang around this forum for tips and such.

    Thanks to all...

    Charles
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/179787

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice