Hijack + other problems

Discussion in 'adware, spyware & hijack cleaning' started by Woodpigeon, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. Woodpigeon

    Woodpigeon Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    Hi,

    I have a Windows XP operating system running IE and Norton Antivirus.

    While browsing a few days ago, Norton alerted me to a virus attack. The attack was quickly dealt with, but it has left my computer a bit messed up.

    1) the home web address has been altered, and I can't change it even if I use Regedit. I am also getting regular popup windows appearing.

    2) Windows Media player won't work. When I click on an icon all I get is a dull beep.

    3) An installation window for Small Business XP aipears any time I try to launch an application. It's a bit irritating.

    I have since loaded up Ad-Aware, SSD and Hijack This. I also ran a full virus check with Norton. None of them seem to have found anything really amiss, although Skybot is telling me I have a DSO problem, which is strange because I have tried to keep my Windows programs up to date.

    OK - here is the HijackThis log, and I also include the latest Skybot log from earlier tonight. Any help you can give me would be most appreciated!

    Logfile of HijackThis v1.98.0
    Scan saved at 23:32:19, on 02/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\CFusion\cfam\program\ccmgr.exe
    C:\CFusion\Bin\cfserver.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\CFusion\Bin\cfexec.exe
    C:\CFusion\Bin\cfrdsservice.exe
    C:\CFusion\cfam\Program\dfp.exe
    C:\CFusion\JRun\bin\JRun.exe
    C:\CFusion\cfam\Program\wsm.exe
    C:\CFusion\jrun\bin\jrun.exe
    C:\CFusion\cfam\Program\wsprobe.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\MySQL\bin\mysqld.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\CFusion\jre\bin\ntConsoleJava.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\applc32.exe
    C:\CFusion\jre\bin\ntConsoleJava.exe
    C:\CFusion\cfam\bin\CANamingAdapter.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\ipbj32.exe
    C:\Program Files\Microsoft Money\System\reminder.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\GuruNet\GuruNet.exe
    C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://epwgs.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://epwgs.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\epwgs.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://epwgs.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8C38E844-57F2-3EDD-FEEA-F53BAA76633A} - C:\WINDOWS\crdk32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ipbj32.exe] C:\WINDOWS\ipbj32.exe
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    ****
    Skybot
    ****


    --- Report generated: 2004-07-03 00:31 ---

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-2798751602-1749521121-372829268-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-05-12 Includes\Cookies.sbi
    2004-05-12 Includes\Dialer.sbi
    2004-05-12 Includes\Hijackers.sbi
    2004-05-12 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-05-12 Includes\Malware.sbi
    2004-05-12 Includes\Revision.sbi
    2004-05-12 Includes\Security.sbi
    2004-05-12 Includes\Spybots.sbi
    2004-05-12 Includes\Tracks.uti
    2004-05-12 Includes\Trojans.sbi


    Many thanks,

    Woodpigeon
     
  2. Woodpigeon

    Woodpigeon Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2
    I'm just bumping this - I hope this is ok.. :)
     
Thread Status:
Not open for further replies.