SpyWare VOL System error #384

Logfile of HijackThis v1.97.7
Scan saved at 4:12:44, on 26.2.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINXP\Explorer.EXE
C:\PCIRADIO\Radiotray.exe
C:\WINXP\System32\Fmctrl.EXE
D:\Software\CloneCD\CloneCDTray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINXP\reg32.exe
C:\WINXP\System32\rundll32.exe
C:\WINXP\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Zaloha\Roman\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [RadioTray] C:\PCIRADIO\Radiotray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Software\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "D:\Software\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Reg32] C:\WINXP\reg32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\System32\ctfmon.exe
O4 - HKCU\..\Run: [Eyeball Chat] "D:\HRY\EYEBAL~1\EyeballChat.exe" -min
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.redbox.cz/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi Roman

Welcome to Wilders.

Iam not a HijackThis expert but i know u can fix the following entries.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINXP\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINXP\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\secure.html

Then reboot and delete:
C:\WINDOWS\secure.html

When this is done, wait for the experts to give u further recommendations on your log.


snowbound

 

Sorry, i also notice u have NewDotNet in your log.

Here is a link on how to uninstall it,

http://www.doxdesk.com/parasite/NewDotNet.html

Remember to check back later for answers from the experts.




snowbound

 

Hi Roman,

After you have followed snowbound's instructions above for removing New.Net, add these entries to the list of R0-R1 that snowbound listed in his previous post.

O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Reg32] C:\WINXP\reg32.exe
O4 - Startup: PowerReg Scheduler.exe

(if you do not recognize this site and did not set it yourself, then fix it too)
O14 - IERESET.INF: START_PAGE_URL=http://www.redbox.cz/

You also have the Blaster Worm.
Download the FixBlast.exe tool from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Follow the instructions at the above site for removing the blaster worm from your computer.

Then reboot your computer, find and delete:
CWINXP\reg32.exe <--the file

Now go to Microsoft Update Site and get all the Critical Updates for XP and IE6.

Reboot your computer and do another scan with HijackThis, and past a new log here to be checked.

Regards,

snap