Trouble with hijacked browser

Discussion in 'Windows Desktop Systems' started by Striker, Mar 15, 2005.

  1. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    I'm really having trouble getting rid of this one, it keeps coming back after any restart, and i've tried a number of free programs which haven't really helped. I'd rather not admit defeat and reformat. Anyways, my HJT log is as follows (after a restart, sorry there's a lot of junk in there, I could do it in safe mode if it would be easier). I guess I should finaly bit the bullet and switch to firefox.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:31:34 AM, on 15/03/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\msqx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TDispVol.exe
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\netda32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Ghrone\Ghrone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Rainlander\Rainlendar.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\downloaded\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ndudj.dll/sp.html#93256
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {63FB9E66-2869-4D50-CAA2-E2A65E2E5E8F} - C:\WINDOWS\ntpe32.dll
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [netda32.exe] C:\WINDOWS\system32\netda32.exe
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlander\Rainlendar.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Tmesbs32 - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\msqx.exe
     
  2. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    of course switch to firefox, FOX ALL THE WAY!
     
  3. Kush

    Kush High On Life!

    Messages:
    4,590
    Location:
    Montreal, Quebec
    C:\WINDOWS\system32\netda32.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\System32\00THotkey.exe
    000StTHK.exe
    C:\WINDOWS\ntpe32.dll

    all these look suspious to me, i would delete these files after removeing them from the start up cuz i bet they are there. also what antivirus are u using? seems like somthign like norton or somthing, switch to avg, and run it in safe mode, remove all viruses and then remove them from your startup
     
  4. mlakrid

    mlakrid OSNN BASSMASTER Political User Folding Team

    I myself have never had my browser Hijacked I did find this link:

    http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1059316,00.html

    Maybe there is something you havent tried in one of these responses.

    Hijackthis was one of them...

    If it was a virus of any kind you can also download and use Stinger, it is a utility that is updated once in a while to get rid of nasty viruses that wont allow virus scanners to get rid of them. http://vil.nai.com/vil/stinger/

    Sorry I cant help more, I havent had to research or deal with this problem at home or work..
     
  5. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    I think Thotkey is part of the toshiba built-in stuff, but I'll give the rest a try and see what happens, ty for the quick response

    edit:
    C:\WINDOWS\system32\netda32.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    getting rid of those two seemed to fix my problem, the stuff still re-appears when i restart, but my browser is no longer jacked and no more random pop-ups
     
  6. jw50

    jw50 OSNN Senior Addict

    Messages:
    354
    Hi Striker,

    1. Prepare CWShredder for use:
      • Download CWShredder.
      • Save CWShredder.exe to a convenient location.
      • Please do not do anything with it yet.
    2. Prepare AboutBuster for use:
      • Download AboutBuster.
      • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
      • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
      • Click "OK" at the prompt with instructions.
      • Click "Update" and then "Check For Update" to begin the update process.
      • If any updates exist please download them by clicking "Download Update".
      • You should not run the program yet so click "Exit".
    3. Prepare cwsserviceremove.reg for use:
      • Download cwsserviceremove.zip.
      • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
      • Please do not do anything with it yet.
    Reconfigure Windows XP to show hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.

    Boot into Safe Mode:
    Restart your computer and immediately begin tapping the F8 key on your keyboard.
    If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
    To return to normal mode just restart your computer as you normally would.
    1. Run CWShredder:
      • Double-click on CWShredder.exe.
      • Click "Fix ->" and click "OK" at the prompt.
      • CWShredder will scan and clean your system of CWS files.
      • Click "Next->" and then "Exit".
    2. Remove the offending service:
      • Double-click on cwsserviceremove.reg you downloaded earlier.
      • When it asks you to merge the information to the registry click "Yes".
    3. Run AboutBuster and save the logs:
      • Browse to where you saved AboutBuster and run AboutBuster.exe.
      • Click OK at the directions prompt.
      • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
      • Click Yes to allow it to shutdown explorer.exe.
      • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
      • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
      • Run AboutBuster a second time.


      Run HijackThis and place checks beside each of the following:
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ndudj.dll/sp.html#93256
      R3 - Default URLSearchHook is missing
      O2 - BHO: (no name) - {63FB9E66-2869-4D50-CAA2-E2A65E2E5E8F} - C:\WINDOWS\ntpe32.dll
      O4 - HKLM\..\Run: [netda32.exe] C:\WINDOWS\system32\netda32.exe
      O23 - Service: Network Security Service - Unknown - C:\WINDOWS\msqx.exe


      After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

      Next use Windows Explorer to navigate to these locations and delete the files in bold if they are still there:
      C:\WINDOWS\ndudj.dll
      C:\WINDOWS\ntpe32.dll
      C:\WINDOWS\msqx.exe
      C:\WINDOWS\system32\netda32.exe
    4. Clean out temporary files:
      • Start | Run | type cleanmgr | OK
      • Let it scan your system for files to remove.
      • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
      • Click "OK" to remove them.
      • Click "Yes" to confirm the deletion.
    5. Restart your computer normally to return to normal mode.
    6. Free TrendMicro Housecall scan:
      • Vist the TrendMicro Housecall website.
      • Select your country from the drop-down list and click "Go".
      • Choose "Yes" at the ActiveX Security Warning prompt.
      • Please wait while the Housecall engine is updated.
      • Select the drives to be scanned by placing a check in their respective boxes.
      • Check the "Auto Clean" box.
      • Click "SCAN" in order to begin scanning your system.
      • Please be patient while Housecall scans your system for malicious files.
      • If not auto-cleaned, remove anything it finds.
      • Click "Close" to exit the Housecall scanner.
      • Choose "Yes" at the HouseCall message prompt.
    7. Prepare your reply:
      • Please post a fresh HijackThis log
      • Please post the AboutBuster log.
      • Please note any complications you had.