It's Back...

Here’s what CWShredder picked up

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (26759 bytes, R)
Shell Registry value: HKLM..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (682 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

So now what?

HiJackThis found the following:

Logfile of HijackThis v1.97.7
Scan saved at 12:48:06 AM, on 5/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lorenzo\Local Settings\Temporary Internet Files\Content.IE5\SXIRWT2R\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9EEE36A4-C054-4CE5-B518-70EB0C35DA60} - C:\WINDOWS\System32\njp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zango.com/gateway/resources/default/zangoinstaller.cab?productid=542
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Drago494,

A friend of mind has the same problem about 2 months ago it seem to be Hijacking your computer somewhere in your HD, I managed to find it but I can’t stop the problem and delete it and it keep coming back some reason.

So I did it a very smart way and it work the problem has stopped for about a month, and I hate to say this and it going to be a very painful way for your PC to die!.

But first you must answer the following question.

  1. Do you have all the MS Window Update Critical Updates and Service Packs, I mean all of it 100%. Yes or No in past 6 months and keep on updating when ever MS tell you must install it.

  2. What firewall software do you have on your PC

  3. What protection software do you have on your PC beside your firewall and your Avast Anti-virus software.

Before I give you my painful answer to your PC and your problem will go way for ever

Yes, of course it is, because you did nit delete the “dropper”, please read this:
http://www.computercops.biz/postt36043.html . It is a bit confusing, but it will do the trick.

Meh, I figured out a way to remove the sucker for good…I formatted my hard drive and reinstalled everything. And now, I’m using Mozilla Fire Fox as my web browser.

I knew you had to reformatted your HD now I can see you have Mozilla Fire Fox

You can install the following list and they work with Mozilla too for extra protection, and it does help believe you won’t be sorry.

  1. SpywareBlaster v3.1 and get the latest patch enable all protection.

  2. SpywareGuard v2.2 and get the latest patch enable all protection.

Have you got Ad-aware and Spybot - Search & Destroy v1.2 and get the latest patch and kill everything, for more information about SpywareBlaster and SpywareGuard here is the link http://www.javacoolsoftware.com/products.html

Finally you haven’t told me what firewall are you using I strongly recommend ZoneAlarm free version or buy the Pro version.

Do not forgett to update your Windows, or you will get "Sasser"ed!:slight_smile: