|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
July 4th, 2004, 11:42 PM
|
|||
|
|||
Mysterious, resistant hijack
I've now run fully updated Spybot and Adaware 6 several times. Have gone through a variety of steps to eliminate a nasty C2.lop (and think I may have gotten it all??). But I'm still getting a persistent hijacking of Internet Explorer, opening windows to take me to various places most frequently today being www.whenusearch.com. Running XP Home Edition on a Dell 2.66GHz Inspiron. Here is the latest Hijack This logfile. What am I missing?
Logfile of HijackThis v1.98.0 Scan saved at 11:10:43 PM, on 7/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\carpserv.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\AIM95\aim.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://education.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Htw0Uz0Y.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DDBControlRoxioC] C:\WINDOWS\System32\DDBControlRoxioC.exe O4 - HKLM\..\Run: [IDIMAPM] C:\WINDOWS\System32\IDIMAPM.exe O4 - HKLM\..\Run: [HIMENGS] C:\WINDOWS\System32\HIMENGS.exe O4 - HKLM\..\Run: [NDREC32S] C:\WINDOWS\System32\NDREC32S.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe |
|
#2
July 5th, 2004, 09:30 AM
|
||||
|
||||
Re: Mysterious, resistant hijack
Download and run this one
http://downloads.subratam.org/PeperFix.exe Click the Find and Fix button. Reboot when prompted Is there a 'golden palace casino' in your Add/Remove programs? - remove it if present Run HijackThis again, push Scan and place a check mark next to the following items using your mouse. Next, close all browser Windows, and push the 'Fix checked' button in HijackThis O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Htw0Uz0Y.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe O4 - HKLM\..\Run: [IDIMAPM] C:\WINDOWS\System32\IDIMAPM.exe O4 - HKLM\..\Run: [HIMENGS] C:\WINDOWS\System32\HIMENGS.exe O4 - HKLM\..\Run: [NDREC32S] C:\WINDOWS\System32\NDREC32S.exe Empty the TIF (Temporary Internet Files) To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties) Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder ----------- Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/ After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions. Now do the following: - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine: check: "Unload recognized processes during scanning." - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine: Check: "Let Windows remove files in use after reboot." Press "Scan Now" - Check option "Use Custom scanning options" - Check option "Activate In-Depth Scan" - Press "Select drives\folders to scan" - Select the active partition which is usually C: Now press "Next" to let Ad-aware scan your drives... It will find a number of "bad" files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK. Finally, close Ad-Aware, and reboot. --------- some info version.exe is likely http://securityresponse.symantec.com...are.jraun.html I do not recognize this one O4 - HKLM\..\Run: [DDBControlRoxioC] C:\WINDOWS\System32\DDBControlRoxioC.exe |
|
#3
July 5th, 2004, 08:43 PM
|
|||
|
|||
Re: Mysterious, resistant hijack
IMM ... good suggestions. I seem to have it licked. Adaware was already current, and no Golden Casino in the add/remove programs, so the deletions form the Adaware log you suggested must have done the trick -- so far so good at least. Thanks!
 |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
