Help me kill this

By edawg159
Apr 15, 2008
  1. OK, So I got a nasty infection with that malware that takes over your task manager and turns your desktop into a blue "Warning:you have a spyware infection" and fires off pop-ups like crazy.

    I ran through the instructions on these forums and was able to remove nearly all the infections. All scans in the preliminary instructions come back clean.

    The problem that remains is when I perform google searches, when the google links appear and I click on them, I get redirected/jump to some other page. This happens maybe every 3rd search.

    I've been working on cleaning my machine for a couple days, hopefull an expert on this board can help me finish this thing off. Any help is appreciated

    Enclosed is a recent HJT log
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Pretty sure this is the problem:

    Please click start ->run-> regedit

    And do a search for this key db41de82-1dd1-11b2-b7fd-fbaf280c36b9
    (it'll be under browser helper object, in HKEY_LOCAL_MACHINE)

    Once found remove it

    Also rmove C:\WINDOWS\ngjwfexo.dll
    (from the windows directory)

    This will help you a lot I believe
  3. edawg159

    edawg159 TS Rookie Topic Starter

    Thanks so much, I was able to find it and delete it. I also ran Webroot's spysweeper and it found another spyware trojan I was able to delete it from the C:\Windows and from the C:/recyler I'm going to do a full scan overnight. I'll post the results if anything is strange.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    We have spyware specialists here, that can confirm every step you should take.
    From reading many posts from these guys, it is possible that you may be still infected (ie I'm not a Spyware specialist, but I can help a little)

    Therefore, you may want to attach your log and scan results to a new post here (and then wait for a reply)
    By the way (a little bit more advice!) I'd say remove Norton fully (didn't help anyway) and install AVG Free and do another big scan (manually updated 3 x, on first install)

    I bet AVG Free finds more positive issues and removes them (strangely)
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Windows XP SP1 <- This is an easy way to become infected SP2 had a lot of security upgrades, you are also probably missing 60+updates, and SP3 is already coming out.

    You also have a redirect through RedSheriff, as you can see you can still get to Yahoo! but you are redirected through redsheriff first where they collect info.

    This should be mostly cleared up by Spybot and Adaware, Spybot can set a hosts file for you where this won't happen.
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
    R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)

    Now close all windows other than HiJackThis, then click Fix Checked.


    I highly recommend you upgrade to SP2 as soon as possible, after we get you clean
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Platform: Windows XP SP1 (WinNT 5.01.2600)
    I missed that :(
    But Blind Dragon doesn't miss a beat
    For now on I'll check that too (plus Normal; plus version; plus a million other things!)
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Platform and Version glance at that, after that I look to the running processes to check the folder HJT is installed to. Then look at entries
  8. edawg159

    edawg159 TS Rookie Topic Starter

    Thanks all-
    I followed BlindDragon's instruction with HJT,

    I'm updating windows, and I'll re-run AVG and post the log along with a new HJT log
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You may find that AVG may need to be re-installed
    Actually there are may preliminary steps to do before loading SP2
    One of the most important (if not, the number one importance) is to have a virus and basically bug free system, before loading SP2 (otherwise Windows may not load)

    We all remember those days, load SP2. Xp fails !
  10. edawg159

    edawg159 TS Rookie Topic Starter

    OK attached are the new logs after I made the HJT fixes stated in this post and rebooted. I can't install the SP2, I get a messge "catalogs fail" it also freezes up my system
  11. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {db41de82-1dd1-11b2-b7fd-fbaf280c36b9} - (no file)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Rename HijackThis.exe to edawg159.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to edawg159.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
  12. edawg159

    edawg159 TS Rookie Topic Starter

    Many thanks for the assistance
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Just to add

    Before loading Service Pack 2, make sure to uninstall all the Spyware and Antivirus and Firewall programs fully first.

    Also consider AVG Free instead of Norton
  14. edawg159

    edawg159 TS Rookie Topic Starter

    One last thing, I ran Search and Destroy and Webroot's SpySweeper again. S&D comes back clean

    however spysweeper is picking up
  15. kritius

    kritius TS Guru Posts: 2,084

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm quoting my own post, and asking Kritius (or any others a question)

    Can you go from SP1 to SP3 ? (to be release later this month)
  17. kritius

    kritius TS Guru Posts: 2,084

    Its actually usually better to wait until the computer is clean before moving from sp1 to sp2 as moving up on an infected computer can cause problems, at the moment its probably better to get sp2 before getting sp3.
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    On a clean computer, I believe you can go straight to sp3 from sp1 though because it includes all previous updates
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Thanks Blind Dragon, cause you're not going to believe it, but my Windows OS is Xp SP1, so I was thinking to create a new clean image
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  21. edawg159

    edawg159 TS Rookie Topic Starter

    I appologize for not posting, running combo fix now
  22. edawg159

    edawg159 TS Rookie Topic Starter

    Here is the combofix log
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...