I've been getting a popup on my desktop that says "Warning: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to download certificated software to protect your computer?"

And also when im browsing the web my browser will redirect itself to another site, and its always the same 2 sites that it goes to. I have run both adaware and spybot and also avg and avast and none of them have gotten rid of this. I really dont want to have to wipe my hardrive to fix this. Any help will be greatly appreciated. Thanks.

download Spysweeper 3.0 it will fix the problem.

I just tried using spy sweeper, that didnt find it either.

Hijack This! is the software you need.

However you need to know what your looking for so you can disable it, this aint automatic

Be aware that there really is no one stop shop for cleaning an infected system. Best results are achieved by using a series of different programs. Follow this section's two stickies on spyware removal if you haven't already, and if you're still having problems after scanning with updated versions of adaware, spybot, cwshredder, and spysweeper - then you can post a hijackthis .log file for us to look over.

Stickies on spyware removal:
http://www.ocforums.com/showthread.php?t=307720
http://www.ocforums.com/showthread.php?t=319615

Also make sure you're "Messenger" service is disabled if you're using Windows XP, (totally unrelated to MSN Messenger).

I have tried all the programs you have mentioned and still nothing. I just installed Hijack this. Here is the log.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\msswch.exe
C:\WINDOWS\system32\netddx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\netddx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093826580416
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38175.7188888889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Im not really positive but I think it has something to do with the ip address in the trusted zone. I did an nslookup and it comes up as connect.online-dialer.com

Should I have Hijack This attempt to fix it?

Kill the messengerplus! b/c it causes a ton of popups. Uninstall it immediately.

that's not entirely true about Messenger plus, you just have to select custom install and reject the ad services, done it on any machines I use and I have never had any of the problems of pop ups and redirection.

I uninstalled messenger plus, although I know that had nothing to do with the problem. Nothing seems to even detect the program that is causing these problems. Are there any other options besides a reformat?

look run msconfig and kill all the start up items. reboot in safe mode run all the softwares you have. Hijack this! spysweeper. spybot adaware. and it should find the problem. my suggestion though. by the way have you updated the definitions in all the proggies you downloaded.

Ill try that next, and yes all the defintions are up to date.

What are the options in the message? Does it give you a link and the only option is to hit ok?

Reviewing the log you posted currently - it is detecting infections. I suspect that if you run more than one scan with adaware or spybot, there are things that appear to not go away. I will post here with some things to try soon.

You have a trojan infection - you need up-to-date spyware installed.

Delete all temp and temporary internet files first - you can do this manual or you can download CCleaner and it will do it for you, along with some other useful functions.

If you have not done so already, you should go into add/remove programs and uninstall anything that you are not certain belongs there.

If the process below does not work, you may want to reattempt it and disable system restore and attempt from safe mode.

Kill these processes:

C:\WINDOWS\system32\msswch.exe
C:\WINDOWS\system32\netddx.exe (http://securityresponse.symantec.com/avcenter/venc/data/trojan.killav.(5).html)

Then remove this entry:

O15 - Trusted Zone: http://*.63.219.181.7

Then open regedit and check these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Manually ensure there is no value listed for netddx.exe. If you find these values are there, delete them.

Let me know if you still receive popups after you do this then restart. Do another scan to make certain those entries do not return.

BTW: If you want to put your machine through the full gauntlet, you can click on the malware warfare link in my sig, or click on either of the links in mr. chambers post above.

I just followed the steps you said and there is no netddx.exe file, but there is a msswch.exe. I killed that process and removed the ip from the registry but after a restart both msswch and the ip in the registry come back.

There has to be a netddx.exe file somewhere - it is a running processs, so it must be on your computer.

Go to tools > folder options > view and select show hidden files and folders and clear the checkmark in hide protected operateing system files and check again.

It's running from C:\WINDOWS\system32\

In the mean time, I'm looking into more experiences of how to cut the belly out of the beast. Theres a trail, just need to get at the gizzard. :)

What version number is your HJT scanner? The actual number please. :)

The HJT version is 1.97.7

Run 1.98.2 - that is the latest version... This will ensure that the HJT version is not a negative variable here.

Now that we see your HJT was outdated, are you certain you are running with the latest definitions with spybot? It should scan for 21,000+ infections.

I've got the latest HJT and both adaware and spybot have the latest definitions. Spybot keeps coming up with a DSO exploit. Everytime I fix it, it just comes right back.

I get that same thing too on my sisters computer, I also want to know how to get rid of the DSO exploit

@Omega2260: go to www.sysinternals.com and download autoruns. With that, you should be able to stop msswch and netddx from executing on every startup.

Seems to me I read that DSO Exploit was acutally a bug in Spybot S&D. Could be wrong but I remember reading about it some where PC Mag discussons I think.

Also I had a trojan that was giving me major headaches and could not get rid of it. Turned out it was hiding in my restore files. I turned off System restore and then ran my Spyware / AV program and Bingo toasted it's butt. Justa thought....

The version you posted that log with is outdated - did you download the new version or not?

What AV software are you running and is it also updated and functioning?

I am getting the feeling you are cutting corners, and you really need to follow the full guide in my sig, as well as follow the removal instructions from symantec for netddx. If I'm going to be any help with your question, you need to answer my questions also, and let me know if you are taking my advice or not.

This should be simple to solve if you are being diligent about the steps you take.

Do you know how to restart into safe mode? That makes an important difference in whether or not this will work or not.

Do you know how to enable display of hidden/protected files?

If you end task on the running processes, do they automatically restart? If you find they are running, then you should end task on them before trying to fix anything or you will be unsuccessful (this is the reason for being in safe mode - only essential system processes should run, enabling you to remove the infections).

Yes, i got the new version of HJT. It doesnt help much though, it wont remove the IP from the registry. I have to keep going into the registry and doing it manually. And yes I have followed your steps, I am very computer savvy and know how to view hidden files and get into safe mode. Netddx is not a running process, the problem is somewhere else. Mssch.exe does still show up. When I end the process and delete the IP from the registry, it wont come back right away. It does come back on the next restart. I have gone into msconfig and disabled all startup programs. I tried to do everything in safemode and still nothing works. Even when the mssch.exe process is killed and the ip removed, my browser will still take me to different sites. This only happend when i click on a link.

Ok thanks - that all helps. Being computer savvy though, you should understand that it is hard to support something when your questions are not answered. I was getting frustrated as I want to fix this problem (its like a puzzle), but I'm getting poor answers to important questions - like what virus software you are running and if it is updated. I'm guessing you cannot get your old AV to run because it has been killed, but thats just a guess and not worth much. I would also guess that if you could get a good AV running, that might solve your problem automatically.

Netddx is a trojan, and it was a running process on your machine - at the top of your HJT logfile, there is a title that says running process, and below that, many things are listed, one of which is C:\windows\system32\netddx.exe. That means that file is running as an active process on your machine when the scan was run. The core of your problem may be somewhere else - but haveing a trojan laying down a welcome mat is far riskier than some silly popups that annoy you.

Other users who have had your issue, report that they cannot find these files until looking for them in safe mode - so you may find them if you are using safe mode. Make certain that you have hidden files viewable, as well as protected operating system files viewable (these are two seperate settings).

As for msswch.exe, you will need to perform a registry merge which will reset some important values and then deleting the source file itself should take care of your problem. You should find the details here:

http://www.windowsbbs.com/showpost.php?p=200462&postcount=18

Can you link me to the websites you are being directed to by this infection? Thanks.

BTW: If you have the latest version of IE and are patched, then the DSO epxloit vulnerability is gone, however spybot may still turn this up because of an invalid value detected for an entry - spybot sets another invalid entry (a bug in the program), and there is a fix which can be had here:

http://www.majorgeeks.com/download4392.html

I have an antivirus its the latest version of avast. The sites it keeps sending me to are porn so im not sure if thats allowed to be posted on this forum.

Not sure if this will help but if you boot your PC using the install CD and go into repair mode you can view startup items that do not show up either in normal or safe mode. Helped me rid a friends PC of a particularly nasty trojan (sorry can't remember the details) if I remember rightly it also showed up services that were otherwise hidden.

Results... What have you tried and what did you find?

I think I managed to fix everything. I went into safe mode again and deleted all those files that were in that registry merge link you sent and then tried all the steps over again. CWShredder actually found something this time, it was CWS.HiddenDll or something like that. So far no more popup and no website redirections. Thanks for all your help i really appreciate it.

happens again, reinstall XP.

To protect yourself in the future don't use windows firewall. Use zone alarm (http://www.zonealarm.com/) personal. Its free and nothing get communicates in or out of your system with out it being logged and it will alert you to new files that are trying to talk to the outside world. Because you have to tell it yes or know for every program it immediately alerts you to spyware.

I've never been infected without knowing it using zone alarm and I run adaware and other scanners regularly to check. The other cool thing is that it can track down more information on the many known files and let you know about them.

Now then... does anyone have the answer to that DSO exploit problem in Spybots? I get the thing also.

happens again, reinstall XP.

Not always an option for some people. Telling people to reformat when they have some spyware is like torching your entire neighborhood's lawns when you find some weeds...

If you follow the guides to the T and don't cut corners there's a *very* high chance you can clean the system without having to format. Of course a format is going to give you better performance afterwards, and in some cases may take less time, but not everyone is able/or wants to do that everytime they get a malware infection.

Now then... does anyone have the answer to that DSO exploit problem in Spybots? I get the thing also.

Read post 24 of this thread... Worked for me.

I do use zone alarm, and i now know for a fact that you dont have to click ok on a popup to get spyware.

How do you have zone alarm configured that it didn't alert you to a new program trying to access the internet?

No, it alerts me everytime something tries to access the internet but I guess since it was taking over internet explorer it didnt see it as a different program.