another nasty log

Discussion in 'adware, spyware & hijack cleaning' started by Nanc, Dec 22, 2003.

Thread Status:
Not open for further replies.
  1. Nanc

    Nanc Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 9:29:18 PM, on 12/22/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\RunDLL32.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ORBITN~1.0\ONService.exe
    C:\PROGRA~1\ORBITN~1.0\OrbitNet.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\home\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.alfa-search.com/home.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alfa-search.com/home.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:80
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
    O1 - Hosts: 216.200.3.32 worldsex.com
    O1 - Hosts: 216.200.3.32 www.worldsex.com
    O1 - Hosts: 216.200.3.32 sexocean.com
    O1 - Hosts: 216.200.3.32 easypic.com
    O1 - Hosts: 216.200.3.32 free6.com
    O1 - Hosts: 216.200.3.32 al4a.com
    O1 - Hosts: 216.200.3.32 www.al4a.com
    O1 - Hosts: 216.200.3.32 thumbnailpost.com
    O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
    O1 - Hosts: 216.200.3.32 drbizzaro.com
    O1 - Hosts: 216.200.3.32 www.drbizzaro.com
    O1 - Hosts: 216.200.3.32 hoes.com
    O1 - Hosts: 216.200.3.32 www.hoes.com
    O1 - Hosts: 216.200.3.32 absolut-series.com
    O1 - Hosts: 216.200.3.32 www.absolut-series.com
    O1 - Hosts: 216.200.3.32 elephantlist.com
    O1 - Hosts: 216.200.3.32 www.elephantlist.com
    O1 - Hosts: 216.200.3.32 ah-me.com
    O1 - Hosts: 216.200.3.32 www.ah-me.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINDOWS\loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O4 - Global Startup: MSupdate.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: NameServer =
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Nanc,

    Download, unzip and run: http://www.merijn.org/files/cwshredder.zip

    Then please post a new log, so we can see if everything is gone.

    Regards,

    Pieter
     
  3. Nanc

    Nanc Guest

    Here is new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:23:24 AM, on 12/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\RunDLL32.exe
    C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ORBITN~1.0\ONService.exe
    C:\PROGRA~1\ORBITN~1.0\OrbitNet.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\home\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: Domain = direcway.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58908C99-3AD5-4049-BE5C-BCC39640A01E}: NameServer = snipped for privacy reasons by request from the poster
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Excellent. Well done Nanc. :)

    Regards,

    Pieter
     
  5. Nanc

    Nanc Guest

    Thank you for all your help. Seems to running good.
     
Thread Status:
Not open for further replies.