Do I have to use the malware software to get rid of the hijacker?  I have the fake windows firewall warning on my computer, but I have not downloaded Personal Defender.  Most of the websites tell you how to get rid of Personal Defender, but not the hijacker program itself.  Some other message boards say that there is just an executable file on my computer doing this called mupd1_2_1711951.exe that you just have to find and delete, which I cannot find by searching my computer.  Does the executable file have another name or should I just use a spyware/malware program to get rid of it?

Hi 

If you also want to, like 'snug" you can PM me your Hijackthis.log

Download Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and download the third in the list (Excutable) and click "Scan with log"  open the log in Notepad, the paste me the results please in a Personal Message. We will try and stop any starting Items, for the first thing.

I have to go out but will be back later 

Quads 

Quads is an expert in bug removal here, so for detailed instructions I would refer you to him.

If you have NIS, give it a chance to do its work by running a full scan.

You can't find that file in search because it is almost certainly super-hidden, which means it is hidden and it is hidden as a protected system file. Better try to find a process with a weird name in the Tasks manager and try to kill it.

A good and free on-demand scanner is  here, you can install it and run it, first in normal mode than in safe mode.

You can also disable that super-hidden feature, if you go to the Folder options in the Control Panel, and remove the tick from the box which says 'Hide protected operating system files'.

---

TomiRed wrote:

Quads is an expert in bug removal here, so for detailed instructions I would refer you to him.

 

---

Hahahahaha LOL, don't thinks so some how, the Symantec Employees would beat me hands down, and have some to spare.

It's a lot harder to figure over the net than in person to.

 

Quads 

Hi Quads, Kelly, TomiRed and others,

My son told me todaythat his PC can access the internet as normal, and that the fake alerts have stopped.  I checked Norton history and found that virus Trojan.Fakeavalert was detected by Auto-protect (auto protect definitions version 2008.12.09.003).  I successfully removed it by using the manual remove option. 

Not sure why it didn't alert me automatically.

On reading the symantec info on Trojan.Fakeavalert, it doesn't seem to be the same as Defender-Review.com, but it seems to have cured it...??

Not sure if this was a result of what you did TomiRed, but if it was, thanks very much.

---

jdimiceli wrote:

Do I have to use the malware software to get rid of the hijacker?  I have the fake windows firewall warning on my computer, but I have not downloaded Personal Defender.  Most of the websites tell you how to get rid of Personal Defender, but not the hijacker program itself.  Some other message boards say that there is just an executable file on my computer doing this called mupd1_2_1711951.exe that you just have to find and delete, which I cannot find by searching my computer.  Does the executable file have another name or should I just use a spyware/malware program to get rid of it?

 

---

Hi jdimiceli

 Just got up a short while ago,

You are infected with a form of "about:blank" and something has made bad trusted zones, so here goes.

After all this you will have enter your browser homepage as that is gone.  Start Hijackthis again and tick only these entries.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank 

O2 - BHO: (no name) - {DD6FA5AD-FA2E-7FF9-4D4C-8C32A4EAEF3F} - C:\WINDOWS\system32\winhg32.dll

O4 - HKLM\..\Run: [Task Manager Help] tskmgrhlp.exe                                                 (worm)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k              (Not needed on startup) 

O4 - HKCU\..\Run: [Task Manager Help] tskmgrhlp.exe                                       (the worm again)

O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe          (Bad, could be any of a group)

O4 - HKUS\.DEFAULT\..\Run: [Task Manager Help] tskmgrhlp.exe (User 'Default user')  (the worm)

O9 - Extra button: Advisor - {E779F1D3-115D-4185-8D53-991CCC79FA7B} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)

O15 - Trusted IP range: 206.161.125.149

After ticking those, click "fix Checked" Hijackthis may ask to restart your PC.

Due to the worm you may want to run SDfix, See how to use SDfix here http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

Then download and install SuperAntispyware Free, Update then do a full scan.

Quads 

Hi Quads - I'm having the same browser hijack issue. Would you mind taking a look? Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 3:49:05 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\Fs-nt1\networke\Downloads\HijackThis.exe
c:\dell\E-center\gtb2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = flexstaff.local
O17 - HKLM\Software\..\Telephony: DomainName = flexstaff.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = flexstaff.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = flexstaff.local
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

Hi drumdog

Could you please download an up to date version of Hijackthis, you are using v1.98.2, instead of v2.xx

Could you please also remove this Hijackthis.log, istead after downloading the up to date Hijackthis Personal Message me the log instead of on the Forum.

I have already noticed bad entries, BTW but will wait to see what the latest Hijackthis finds. 

Thanks 

Quads 

jdimiceli, 

The worm seen in Hijackthis log, the closest match seems to be "W32/Rbot-DA" some sites state it as a Trojan, but seen more as a worm. So Now I have a name to those entries, (just the ones I said worm to).

Quads  

Hi Quad,

Thanks for assessing the situation.  I ran hijackthisand fixed the files you said.  I had a problem find SDfix though.  The sites that you recommended on your other post that you linked me to downloaded viruses that my virus scan deleted.  Any thoughts?  Could I just use a different program?

jdimiceli

Hi, 

I can download ok from http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

You will see 3 download links for SDfix.

Quads 

Hi drumdog

Start Hijackthis again and tick these entries

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start         (not needed on startup)

Then Click "Fix Checked" 

Now download, SuperAntispyware Free, install update and run a Full Scan in safe mode.

Quads 

Hi all, re my last post :

Hi Quads, Kelly, TomiRed and others,

My son told me todaythat his PC can access the internet as normal, and that the fake alerts have stopped.  I checked Norton history and found that virus Trojan.Fakeavalert was detected by Auto-protect (auto protect definitions version 2008.12.09.003).  I successfully removed it by using the manual remove option. 

Not sure why it didn't alert me automatically.

On reading the symantec info on Trojan.Fakeavalert, it doesn't seem to be the same as Defender-Review.com, but it seems to have cured it...??

The PC is still running OK after 3 days, with no sign of Defender-Review.com false alerts.  Maybe Norton Auto-protect detected as something similar to Trojan.Fakeavalert and has removed it for me.

Maybe I am being naiive but perhaps runing Liveupdate and then doing a full scan may work, without all the complex work you guys seem to be doing (not that am trying to say anything negative about it, in fact I am quite impressed by all the effort Quads and others are putting into this).

Anyway, worth a try...?

Quads-

That appears to have taken care of it, thanks  so much. I also identified a couple of malicious files in my \applicationdata\Google folder. I also deleted them and their registry entry while in safe mode and this seems to have done the trick. The files were dfxovl.dll and klnxv19819115.exe (which may be a randomly generated filename).

Thanks again for the help, I really appreciate it.

drumdog

Hi Drumdog

I have since you done 2 of these through the PM system and yes the xxx.exe and xxx.dll (where xxx =random figures) in the Google folder belongs to "Trojan.Fakeavalert" that gives you the warning message.  

Both people through the PM's had different named files, like "windpipe.exe" 

Quads 

Hello all,

I was over optimistic with my assumption that Defender-Review had been eradicated, it seems to have re-appeared on my son's PC again.  This time it's saying that the infection is Win32.Netsky.Q.

This time there is also an error box which says: System Error    MSConfig caused system failure.

Clicking on this causes a re-boot.  Once again, it only happens when logged on under my son's user id. 

Currently doing a full system scan, nothing so far.

I wonder if anybody from Norton would like to comment?

The infected files are under his user name.

The "Win32.Netsky.Q." warning is a fake by "trojan.fakeavalert"

Go to here  "C:\Documents and Settings\(Username)\Application Data\Google\"  should be one "xxxx.exe" and one "xxxx.dll"

Username = any users account that is infected, in this case your sons 

Malwarebytes in safe mode with a database version of 1499 and above (now up to 1503) detected the last one I did via Personal Message. SuperAntispyware keep updatting their database for "Trojan.Fakeavalert"

I would have to get permission to show our last PM's from him. 

Quads 

Hi Quads,

I tried a system restore in safe mode and that seems to have cured the symptoms, but I suspect the root cause may still be there.  Earlier on, I did some tidying up on his PC and ran msconfig.  I noticed a startup item which looked suspicous so I unselected it.  Some time after that, the problems re-started.

I tried to undo that setting to see what the effect would be but it kept on re-booting, hence starting in safe mode.

I've re-run msconfig and guess what is back in start up:

C:"C:\Documents and Settings\(Username)\Application Data\Google\kjzna1562565.exe

I suspect that is not a good thing, but when I try to find it in "my computer" it is not visible (even with the 'show hidden files ticked).

Any ideas?

As I Said

Bingo, "kjzna1562565.exe" belongs to Trojan.Fakeavalert. it is the Process, there will also be a xxxx.dll in there to.

Download,if no already Malwarebytes Antimalware and install the update it you need the database version for the definitions at or above 1499.

Then enter safe mode and do a full scan.

here is a Malwarebytes scan log (with the random name files)

Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 3

14/12/2008 13:51:17
mbam-log-2008-12-14 (13-51-17).txt

Scan type: Full Scan

Objects scanned: 53428
Time elapsed: xxxxxxxxxxxxx

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\(Username)\Application Data\Google\fhexj6825097.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\(Username)\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\(Username)\Application Data\Google\fhexj6825097.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\(Username)\Local Settings\Temporary Internet Files\Content.IE5\GD9L3BIL\._file[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\(Usenamer)\Application Data\Google\mjkdpl.dll (Trojan.FakeAlert) -> Delete on reboot.

Quads 

Hi Quads,

I Have downloaded Malwarebytes and printed the instructions, but wont be able to try this out as my sone wants to sleep!

Busy tomorrow night, so wednesday would be the earliest time I could try it out.  Maybe Norton will have caught it by then!

Thanks for your help.