Detected SPYware! System error #384

Discussion in 'adware, spyware & hijack cleaning' started by VOGDESIGN, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. VOGDESIGN

    VOGDESIGN Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    7
    Can some please help me. My internet homepage has been hijacked by Spyware System Error#384.

    Here is the log that i got when I ran HiJackThis. Can some help me with what i should do from here.

    many thanks,



    Logfile of HijackThis v1.97.5
    Scan saved at 4:15:04 PM, on 3/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\WINNT\reg32.exe
    C:\WINNT\svchost.exe
    C:\Corel\Graphics8\Programs\MFIndexer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Ange's Install Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Windows3] "C:\WINNT\System32\Cfgsvc32.exe" -o
    O4 - HKLM\..\Run: [STDE13] C:\WINNT\fonts\explorer.exe
    O4 - HKLM\..\Run: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\Run: [MSUpdate] c:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [Run23] C:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [msconfigurator] msvercnfg.exe
    O4 - HKLM\..\Run: [explore] C:\winnt\web\printers\images\explore.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart 7 1
    O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINNT\svchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\RunServices: [msconfigurator] msvercnfg.exe
    O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0671ea3056a31c61f302/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37665.6597222222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Please close all windows and internet explorers. Check mark the following items only in Hijackthis.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    O4 - HKLM\..\Run: [Windows3] "C:\WINNT\System32\Cfgsvc32.exe" -
    O4 - HKLM\..\Run: [STDE13] C:\WINNT\fonts\explorer.exe
    O4 - HKLM\..\Run: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\Run: [MSUpdate] c:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [Run23] C:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [msconfigurator] msvercnfg.exe
    O4 - HKLM\..\Run: [explore] C:\winnt\web\printers\images\explore.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINNT\svchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\RunServices: [msconfigurator] msvercnfg.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0671ea3056a31c61f302/netzip/RdxIE601.cab



    Click the fix button. Close hijackthis.

    Reboot and show hidden files and folders per the link in my signature.
    Please delete the following files or folders.

    Files:
    C:\winnt\system32\Run23.exe
    C:\WINNT\svchost.exe
    C:\winnt\web\printers\images\explore.exe
    C:\WINNT\System32\Cfgsvc32.exe
    C:\WINNT\fonts\explorer.exe
    the following are probably in c:\winnt or c:\winnt\system32
    mcfg.exe
    msvercnfg.exe

    Folders:





    Run an online virusscan at http://housecall.trendmicro.com/
    Set it to autoclean. Delete what it can't clean.


    Run a new log and post it here
     
  3. VOGDESIGN

    VOGDESIGN Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    7
    thanks so much. it worked great. your the best.

    :)
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    For people who have the same or similar problem, please start your own thread!

    The following HJT Logs have been split to separate threads:

    Bryson's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27416

    AEB's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27417

    espadana's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27418
     
Thread Status:
Not open for further replies.