another nasty log

Discussion in 'adware, spyware & hijack cleaning' started by Nanc, Dec 22, 2003.

Thread Status:
Not open for further replies.
  1. Nanc

    Nanc Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 9:29:18 PM, on 12/22/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\RunDLL32.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ORBITN~1.0\ONService.exe
    C:\PROGRA~1\ORBITN~1.0\OrbitNet.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\home\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:80
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: MSupdate.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: NameServer =
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi Nanc,

    Download, unzip and run: http://www.merijn.org/files/cwshredder.zip

    Then please post a new log, so we can see if everything is gone.

    Regards,

    Pieter
     
  3. Nanc

    Nanc Guest

    Here is new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:23:24 AM, on 12/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\RunDLL32.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ORBITN~1.0\ONService.exe
    C:\PROGRA~1\ORBITN~1.0\OrbitNet.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\home\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: NameServer = snipped for privacy reasons by request from the poster
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Excellent. Well done Nanc. :)

    Regards,

    Pieter
     
  5. Nanc

    Nanc Guest

    Thank you for all your help. Seems to running good.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.