Pesky Browser Hijack won't go away

rab5 · Trooper Joined: Jun 04, 2004 Posts: 19 Location: USA

I have been trying for weeks to rid myself of this pesky hijack. When I open my IE browser it displays the about:blank page, but it has been changed to a search page, with no indication of the sponser of the page. Occassionally, my mcafee software will alert that it has detected and cleaned the file nfp.dll, and indicates that it is part of the StartPage-CZ program. I know its not a virus per say but very annoying none the less.

I downloaded and ran BHODemon and disabled the nfp.dll BHO. No luck.

I have been in the regisry more times than I can count to correct the default page key.

I ran Hijackthis the first time and reviewed the log using the documentation provided at this site. The entry that looked most suspicious to me was
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

I saw where it was suggested to just to a fix on this. I did. I ran the scan again, and the entry was removed.

I rebooted my computer and started IE again. My browser was still hijacked.

Ran a hijackthis scan again... and the entry is back. Log is attached.

Any help you can provide at this point would be greatly appreicated. I have downloaded the cwshredder program, I saw suggested in the threads I read, but haven't ran it yet, as I'm not sure this is a coolweb issue or not, I really don't know who it is. I also checked the CLSID page here at the site, and nfp.dll is not found there either.

Please help me! Crying or Very sad

Thanks in advance.
R

BTW, why did my Mcafee virus scan detect a trojan in my log file. The trojan is Exploit-Mhtredir.gen? It deleted it, so I had to recreate the log file, and this one is not generating the same mcafee virus message. I have recently scanned for viruses with current dat file, so I know I am clean.

Yellowhammer · Posted: Fri Jun 04, 2004 7:44 pm Post subject:

Step 1. Download the file from
http://downloads.subratam.org/dllfix.exe
or
http://tools.zerosrealm.com/dllfix.exe
and save it in a place you like.

Step 2.
Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

Step 3.
Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

Step 4.
Run start.bat
Run the Option 1. for report

Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it. You will see there is a random dll named there if found.

Upload the output.txt and the windows.txt file if there is one.

Once I have that file we can fix the coolwebsearch infection as well as any other problems.

rab5 · Trooper Joined: Jun 04, 2004 Posts: 19 Location: USA

Thanks for your help

Yellowhammer · Posted: Sat Jun 05, 2004 9:43 am Post subject:

Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

Click the "Tweak" button.

Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

then...... click "proceed" to save your settings.

Do not run ad-aware yet!!

Step 5.
Run the start.bat again. Run option 2 and choose option 1 in submenu.

Enter the full path name of the file: C:\WINNT\System32\LOG.DLL

Press the enter button.

Step 6. Reboot. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

Step 7. Reboot

Run ad-aware. It should be set up properly per the previous instructions.

Press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK. and Download Ad-aware. Check for updates. Then Run the updated Ad-aware.

Step 8.
Reboot.

Run HijackThis and fix all the following that remain.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nfp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html

O1 - Hosts: 213.159.117.235 auto.search.msn.com

O2 - BHO: (no name) - {663F85B9-93AC-439B-BF67-2EAE1049AC36} - C:\WINNT\System32\jppf.dll (disabled by BHODemon)
O2 - BHO: (no name) - {C177D8E1-6B14-4610-A427-FA649CF92B35} - C:\WINNT\system32\nfp.dll (disabled by BHODemon)

O4 - HKCU\..\Run: [quicken] C:\WINDOWS\waol.exe
O4 - HKCU\..\Run: [updater.dll] C:\WINNT\updater500.exe
O4 - HKCU\..\Run: [aquicken] C:\WINNT\waol.exe

O13 - Mosaic Prefix: http://www.nkvd.us/

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05edeba2cde8a4bd7b...xIE601.cab

O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}

Then scan again and post the fresh log.

rab5 · Trooper Joined: Jun 04, 2004 Posts: 19 Location: USA

Attached is the lastest Hijack this file, after following your instructions.

There were a few hiccups along the way. Mcafee alerted me a few times that I was infected with a virus and then again a trojan. Should I be considered with these, as prior to messing with these downloads and software I wasnt getting these specific alerts. It has referenced the log.dll file as infected.

I was already a registered user of Adaware so I updated the refernece file and ran it as you instructed. I however didn't re-download the adaware software again in step 7.

Thanks again for all your help, YH
R

Yellowhammer · Posted: Sat Jun 05, 2004 6:18 pm Post subject:

The fact that McAfee finally recognized log.dll as infected is good. It could not see it before as it was hidden. I looked through your log and it looks clean now. Very Happy

rab5 · Trooper Joined: Jun 04, 2004 Posts: 19 Location: USA

Thank you. You did such a great job with this problem, I am posting in another thread a hijack this log for notebook computer which seems to be infected with all kinds of 'crapware'.
Thanks again
R

Yellowhammer · Posted: Sat Jun 05, 2004 7:02 pm Post subject:

Your Welcome

Mariner · Posted: Sat Jun 05, 2004 10:16 pm Post subject:

Glad we were able to help. Smile

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

Once in a ti ti while we get it right...........

If you are happy with the help you received here, perhaps you would consider making a donation to help us keep helping you. It would be much appreciated. Thank you.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 947 pages served in previous 5 minutes. Page Rendered: 0.490 seconds.