Hijack + other problems

Discussion in 'adware, spyware & hijack cleaning' started by Woodpigeon, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. Woodpigeon

    Woodpigeon Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    Hi,

    I have a Windows XP operating system running IE and Norton Antivirus.

    While browsing a few days ago, Norton alerted me to a virus attack. The attack was quickly dealt with, but it has left my computer a bit messed up.

    1) the home web address has been altered, and I can't change it even if I use Regedit. I am also getting regular popup windows appearing.

    2) Windows Media player won't work. When I click on an icon all I get is a dull beep.

    3) An installation window for Small Business XP aipears any time I try to launch an application. It's a bit irritating.

    I have since loaded up Ad-Aware, SSD and Hijack This. I also ran a full virus check with Norton. None of them seem to have found anything really amiss, although Skybot is telling me I have a DSO problem, which is strange because I have tried to keep my Windows programs up to date.

    OK - here is the HijackThis log, and I also include the latest Skybot log from earlier tonight. Any help you can give me would be most appreciated!

    Logfile of HijackThis v1.98.0
    Scan saved at 23:32:19, on 02/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\CFusion\cfam\program\ccmgr.exe
    C:\CFusion\Bin\cfserver.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\CFusion\Bin\cfexec.exe
    C:\CFusion\Bin\cfrdsservice.exe
    C:\CFusion\cfam\Program\dfp.exe
    C:\CFusion\JRun\bin\JRun.exe
    C:\CFusion\cfam\Program\wsm.exe
    C:\CFusion\jrun\bin\jrun.exe
    C:\CFusion\cfam\Program\wsprobe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\MySQL\bin\mysqld.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\CFusion\jre\bin\ntConsoleJava.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\applc32.exe
    C:\CFusion\jre\bin\ntConsoleJava.exe
    C:\CFusion\cfam\bin\CANamingAdapter.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\ipbj32.exe
    C:\Program Files\Microsoft Money\System\reminder.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\GuruNet\GuruNet.exe
    C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epwgs.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epwgs.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epwgs.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8C38E844-57F2-3EDD-FEEA-F53BAA76633A} - C:\WINDOWS\crdk32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ipbj32.exe] C:\WINDOWS\ipbj32.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    ****
    Skybot
    ****


    --- Report generated: 2004-07-03 00:31 ---

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-2798751602-1749521121-372829268-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-12 Includes\Cookies.sbi
    2004-05-12 Includes\Dialer.sbi
    2004-05-12 Includes\Hijackers.sbi
    2004-05-12 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-12 Includes\Malware.sbi
    2004-05-12 Includes\Revision.sbi
    2004-05-12 Includes\Security.sbi
    2004-05-12 Includes\Spybots.sbi
    2004-05-12 Includes\Tracks.uti
    2004-05-12 Includes\Trojans.sbi


    Many thanks,

    Woodpigeon
     
  2. Woodpigeon

    Woodpigeon Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    I'm just bumping this - I hope this is ok.. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.