Hi Canuck, Looks like CWS Exploit.  A new fix was just released for it, the download and instructions are here:

 http://www.majorgeeks.com/download4289.html

Warning! Your HijackThis.exe is not running out of a safe folder.  Please follow the directions here:

http://russelltexas.com/malware/createhjtfolder.htm

I suggest you review all of the information and the links also in this post:

http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=19322

Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale.

 

 

 

pskelly,

The major geeks site didn't reference a CWS Expoit. How do I know I am downloading the correct tool to fix this bug. Also, I know of two other people who have the same problem as me, how were you able to diagnose the source of the problem? I am hoping to give them some tips. I understand that the answer may be over my head, but I would be grateful for the info. Many, many thanks.

Website:  http://www.majorgeeks.com/download4289.html

Directions provided at website:

Symptoms:
- IE Hijacked to res://.dll/index.html#37049 PopUps
- Specific Words on webpages link to search pages, etc. 

Items indicating the infection in the R1 numbers of your HJT log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\bfzgr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\bfzgr.dll/sp.html#96676

You can also copy and paste those line markers to any good search engine such as www.google.com and you can see this item and the removal attempts at many online spyware forums. I have done that for you below:

http://www.google.com/search?hl=en&ie=UTF-8&q=R1+-+HKLM%5CSoftware%5CMicrosoft%5CInternet+Explorer%5CMain%2CDefault_Search_URL+%3D+res%3A%2F%2FC%3A%5CWINNT%5Cbfzgr.dll%2Fsp.html%2396676&btnG=Google+Search

I also do not suggest you give information to your friends unless you have looked at their logs and you know what is there. A pain in your side may be indigestion and the same exact pain in their side could be appendicitis. Issues might seem similiar but something else could be causing it. I suggest you have your friends post a log at a good spyware help site.  Here are just a few:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.bleepingcomputer.com

Hope this helps...pskelley

 

Thank you for the info. I will not advise my friends other than to have them post their HJT log for you guys to review. I am going to do the steps you laid out and let you know how I do. Many thanks.

I should point out that I checked and was informed that your HijackThis.exe is safe to run from this position, so you have no need to change it. HTH...pskelley

C:\unzipped\hijackthis\HijackThis.exe

pskelly,

Should I take the steps listed on the dowload page before downloading the repair tool?

Also, I do not understand step #5 very well where I remove the dll file that was in the place of the word random. I do not understand this step.

Is this something I will be doing with HJT? Or the dowloaded tool? I you could clarify step 5 that would be great.

Many thanks! 
 

Sorry for breaking etiquette on my earlier post. Please accept my apology.

Here is my updated situation:

Thanks for any help!

I have run HJT and the repair tool given from MajorGeeks after having been diagnosed with CWS Exploit by pskelly. I have posted my HJT log that I just ran herein so you can see what is still there.

Continuing symptoms:  When I launch a Microsoft software application the Windows Installer wizard starts up and attempts to re-install Microsoft XP Small Business. I have to click Cancel to allow the program to launch. My operations have slowed to a crawl ( opening a new file or running a program).  My internet access is restored to previous function and email is all working fine now. I no longer show symptoms of a browser hijack.

 Is there more stuff to delete using HJT? I only deleted the files that referenced dll. file as instructed.

HJT log :

Logfile of HijackThis v1.98.0
Scan saved at 12:18:11 PM, on 7/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec\ACT\SideACT.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Symantec\ACT\act.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\MsiExec.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: SideACT!.lnk = C:\Program Files\Symantec\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

Many, many thanks!

Canuck

Another thread was started for this problem, I have asked Canuck to return to this thread and repost his log.  The thread he posted in was:

http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=19975

Thanks...pskelley

Message Edited by pskelley on 07-21-2004 06:09 PM