hijack log please read

Discussion in 'adware, spyware & hijack cleaning' started by higginb, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. higginb

    higginb Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    2
    my home page has been hijacked. here are my logs (tds3 and hijackthis)
    Scan Control Dumped @ 21:15:45 20-06-04
    Suspicious Filename: HTA file in suspicious location
    File: c:\program files\microsoft money\system\discover.hta

    Suspicious Filename: HTA file in suspicious location
    File: c:\program files\microsoft money\system\lnpg.hta

    Suspicious Filename: HTA file in suspicious location
    File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp12\a0000937.hta

    Logfile of HijackThis v1.97.7
    Scan saved at 6:28:00 PM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\WINDOWS\System32\winhlp32.exe
    C:\WINDOWS\winhlp32.exe
    C:\WINDOWS\System32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Online Services\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E71EC01-D3F1-4D4F-B3B8-37D34DC04AAB} - C:\WINDOWS\System32\gcp.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi higginb,

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    It may be best to print these instructions since the rest should be done with all explorer and IE windows closed.

    Start APM: in the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\gcp.dll
    Select Unload DLL and click OK on the prompts that follow.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Cody\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {8E71EC01-D3F1-4D4F-B3B8-37D34DC04AAB} - C:\WINDOWS\System32\gcp.dll

    Reboot and scan with AdAware to remove the txt and html protocol association as described here: https://www.wilderssecurity.com/showthread.php?t=15913

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.