Detected SPYware! System error #384

Discussion in 'adware, spyware & hijack cleaning' started by VOGDESIGN, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. VOGDESIGN

    VOGDESIGN Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    7
    Can some please help me. My internet homepage has been hijacked by Spyware System Error#384.

    Here is the log that i got when I ran HiJackThis. Can some help me with what i should do from here.

    many thanks,



    Logfile of HijackThis v1.97.5
    Scan saved at 4:15:04 PM, on 3/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\WINNT\reg32.exe
    C:\WINNT\svchost.exe
    C:\Corel\Graphics8\Programs\MFIndexer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Ange's Install Programs\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Windows3] "C:\WINNT\System32\Cfgsvc32.exe" -o
    O4 - HKLM\..\Run: [STDE13] C:\WINNT\fonts\explorer.exe
    O4 - HKLM\..\Run: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\Run: [MSUpdate] c:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [Run23] C:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [msconfigurator] msvercnfg.exe
    O4 - HKLM\..\Run: [explore] C:\winnt\web\printers\images\explore.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart 7 1
    O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINNT\svchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\RunServices: [msconfigurator] msvercnfg.exe
    O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0671ea3056a31c61f302/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37665.6597222222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Please close all windows and internet explorers. Check mark the following items only in Hijackthis.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    O4 - HKLM\..\Run: [Windows3] "C:\WINNT\System32\Cfgsvc32.exe" -
    O4 - HKLM\..\Run: [STDE13] C:\WINNT\fonts\explorer.exe
    O4 - HKLM\..\Run: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\Run: [MSUpdate] c:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [Run23] C:\winnt\system32\Run23.exe
    O4 - HKLM\..\Run: [msconfigurator] msvercnfg.exe
    O4 - HKLM\..\Run: [explore] C:\winnt\web\printers\images\explore.exe
    O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [Online Secuirity] C:\WINNT\svchost.exe
    O4 - HKLM\..\RunServices: [Microsoft Configuration] mcfg.exe
    O4 - HKLM\..\RunServices: [msconfigurator] msvercnfg.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0671ea3056a31c61f302/netzip/RdxIE601.cab



    Click the fix button. Close hijackthis.

    Reboot and show hidden files and folders per the link in my signature.
    Please delete the following files or folders.

    Files:
    C:\winnt\system32\Run23.exe
    C:\WINNT\svchost.exe
    C:\winnt\web\printers\images\explore.exe
    C:\WINNT\System32\Cfgsvc32.exe
    C:\WINNT\fonts\explorer.exe
    the following are probably in c:\winnt or c:\winnt\system32
    mcfg.exe
    msvercnfg.exe

    Folders:





    Run an online virusscan at http://housecall.trendmicro.com/
    Set it to autoclean. Delete what it can't clean.


    Run a new log and post it here
     
  3. VOGDESIGN

    VOGDESIGN Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    7
    thanks so much. it worked great. your the best.

    :)
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,150
    Location:
    New England
    For people who have the same or similar problem, please start your own thread!

    The following HJT Logs have been split to separate threads:

    Bryson's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27416

    AEB's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27417

    espadana's Detected SPYware! System error #384:
    http://www.wilderssecurity.com/showthread.php?t=27418
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.