Hijacked startpage

Discussion in 'adware, spyware & hijack cleaning' started by Chiko42, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Chiko42

    Chiko42 Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi,

    Could anyone help me with the log below
    Whatever I do, my IE startpage is not correct

    Logfile of HijackThis v1.97.7
    Scan saved at 19:49:45, on 3-6-2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ANVSHELL.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM.EXE
    C:\WINDOWS\SYSTEM32\WINTIME.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Herinneringen van Microsoft Works Agenda.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: Tiscali.lnk = C:\Program Files\Tiscali\TisConnectionCheck.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Startup: Notities Corel Family & Friends.LNK = C:\Corel\Print House Magic\cffrem.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mycom.nl
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38111.1139467593
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please download http://tools.zerosrealm.com/pv.zip and unzip it to desktop

    double click on the runme9x.bat and select option1, post it's log, then option 2 and post it's log

    when we see the dodgy file taht is putting this hijacker on we can hopefully fix it
     
  3. Chiko42

    Chiko42 Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Derek,

    See logs below:

    Module information for 'EXPLORER.EXE'
    MODULE BASE SIZE PATH
    WEBVW.DLL 7f170000 2142208 C:\WINDOWS\SYSTEM\WEBVW.DLL 5.50.4134.100 Shell Inhoud van Webweergave en controlebibliotheek
    DOCPROP2.DLL 7cb10000 331776 C:\WINDOWS\SYSTEM\DOCPROP2.DLL 5.00.2136.1 DocProp2
    AVIFIL32.DLL 7e410000 98304 C:\WINDOWS\SYSTEM\AVIFIL32.DLL 4.90.3000 Microsoft AVI-bestandsondersteuningsbibliotheek
    CRTDLL.DLL 7fb10000 180224 C:\WINDOWS\SYSTEM\CRTDLL.DLL 3.50 Microsoft C Runtime Library
    MSVFW32.DLL 77ad0000 147456 C:\WINDOWS\SYSTEM\MSVFW32.DLL 4.90.3000 Microsoft Video voor Windows-DLL
    WOW32.DLL bfdc0000 20480 C:\WINDOWS\SYSTEM\WOW32.DLL 4.90.3000 Win32 WOW32 core component
    DCIMAN32.DLL 7d130000 24576 C:\WINDOWS\SYSTEM\DCIMAN32.DLL 4.90.3000 DCI Manager 1.00
    SHFOLDER.DLL 718e0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 5.50.4134.600 Shell Folder Service
    OLEDB32.DLL 1f9c0000 483328 C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\OLEDB32.DLL 2.50.4403.8 Microsoft Data Access - OLE DB Core Services
    OLEDB32R.DLL 1fa40000 73728 C:\PROGRAM FILES\COMMON FILES\SYSTEM\OLE DB\OLEDB32R.DLL 2.50.4403.2 Microsoft Data Access - OLE DB-kernservicebronnen
    MSHTMLED.DLL 70f10000 417792 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 5.50.4134.600 Microsoft (R)-onderdeel voor HTML-bewerking
    JAVACYPT.DLL 7ae60000 192512 C:\WINDOWS\SYSTEM\JAVACYPT.DLL 5.00.3309 MS Java Crypt Dll
    MSAWT.DLL 79b60000 167936 C:\WINDOWS\SYSTEM\MSAWT.DLL 5.00.3309 Microsoft AWT Library for Java
    JAVART.DLL 7ada0000 417792 C:\WINDOWS\SYSTEM\JAVART.DLL 5.00.3309 Microsoft® Runtime Library for Java
    JIT.DLL 7acc0000 180224 C:\WINDOWS\SYSTEM\JIT.DLL 5.00.3309 Microsoft® Just-in-Time Compiler for Java
    MSJAVA.DLL 790d0000 954368 C:\WINDOWS\SYSTEM\MSJAVA.DLL 5.00.3309 Microsoft® VM
    VMHELPER.DLL 74780000 294912 C:\WINDOWS\SYSTEM\VMHELPER.DLL 5.00.3309 Microsoft® Virtual Machine Helper Library voor Java
    DISPEX.DLL 36c0000 45056 C:\WINDOWS\SYSTEM\DISPEX.DLL 5.1.0.4615 Microsoft (r) DispEx
    MSADO15.DLL 1f440000 487424 C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADO15.DLL 2.50.4403.9 Microsoft Data Access - ActiveX Data Objects
    MSDART32.DLL 798e0000 24576 C:\WINDOWS\SYSTEM\MSDART32.DLL 2.50.4403.0 Microsoft Data Access - OLE DB Runtime Routines
    MSSHK.DLL 49110000 24576 C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MSSHK.DLL 10.109.3705.2 Microsoft PKM Search Hooks
    MSXML3.DLL 69b10000 1142784 C:\WINDOWS\SYSTEM\MSXML3.DLL 8.40.9419.0 MSXML 3.0 SP 4
    INETCOMM.DLL 5ec00000 581632 C:\WINDOWS\SYSTEM\INETCOMM.DLL 5.50.4133.2400 Microsoft Internet Messaging API
    INETRES.DLL 54700000 57344 C:\WINDOWS\SYSTEM\INETRES.DLL 5.50.4133.2400 Bronnen voor Microsoft Internet-berichtenservice-API
    MSOERT2.DLL 78630000 102400 C:\WINDOWS\SYSTEM\MSOERT2.DLL 5.50.4133.2400 Microsoft Outlook Express RT Lib
    ITSS.DLL 5d480000 135168 C:\WINDOWS\SYSTEM\ITSS.DLL 5.2.3644.0 Microsoft® InfoTech Storage System Library
    PLUGIN.OCX 36a0000 98304 C:\WINDOWS\SYSTEM\PLUGIN.OCX 5.50.4134.600 ActiveX Plugin OCX
    MSADP32.ACM 72e20000 32768 C:\WINDOWS\SYSTEM\MSADP32.ACM 4.90.3000 Microsoft ADPCM CODEC voor MSACM
    MSACM32.DLL 79df0000 102400 C:\WINDOWS\SYSTEM\MSACM32.DLL 4.90.3000 Microsoft Audiocompressiebeheer
    WINMM.DLL bfdd0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.90.3000 System APIs for Multimedia
    JSCRIPT.DLL 6b700000 552960 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.5.0.8513 Microsoft (r) JScript
    IEPEERS.DLL 70f90000 245760 C:\WINDOWS\SYSTEM\IEPEERS.DLL 5.50.4134.600 Internet Explorer-objecten van neventoepassingen
    MSOHEV.DLL 32520000 73728 C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOHEV.DLL 10.0.2609 Microsoft Office XP component
    MSAFD.DLL 79bc0000 40960 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.90.3000 Microsoft Windows Sockets 2.0 Service-aanbieder
    RNR20.DLL 76290000 57344 C:\WINDOWS\SYSTEM\RNR20.DLL 4.90.3000 Windows Socket2 NameSpace DLL
    SDHELPER.DLL 3460000 765952 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL 1, 3, 0, 12 Bad download blocker
    OLEPRO32.DLL 76ed0000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4515
    ACROIEHELPER.DLL 3450000 49152 C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
    BROWSELC.DLL 718a0000 49152 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4134.600 Shell Browser-bibliotheek voor gebruikersinterface
    LINKINFO.DLL 7fa90000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.90.3000 Windows Volume Tracking
    MSI.DLL 2ff0000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
    SETUPAPI.DLL 75cf0000 593920 C:\WINDOWS\SYSTEM\SETUPAPI.DLL 5.00.2195.1526 Windows Setup API
    WINTRUST.DLL 73ce0000 176128 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.2133.2 API's voor Microsoft-vertrouwenslijstcontrole
    IMAGEHLP.DLL 7b5f0000 143360 C:\WINDOWS\SYSTEM\IMAGEHLP.DLL 5.00.2178.1 Windows NT Image Helper
    CRYPT32.DLL 5cf00000 479232 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.2133.6 Crypto API32
    MSASN1.DLL 79b90000 65536 C:\WINDOWS\SYSTEM\MSASN1.DLL 4.4.3420 Microsoft ASN.1 Encoder/Decoder
    CFGMGR32.DLL 7f700000 40960 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.90.3000 Configuration Manager Win32 Interface
    NTDLL.DLL bfe70000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.90.3000 Win32 NTDLL core component
    CABINET.DLL 7e070000 77824 C:\WINDOWS\SYSTEM\CABINET.DLL 5.00.2147.1 Microsoft® Cabinet File API
    WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.90.3000 Win32 WINSPOOL core component
    LZ32.DLL bfe40000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL 4.90.3000 Win32 LZ32 core component
    SYSTEM32.DLL 10000000 32768 C:\WINDOWS\SYSTEM32\SYSTEM32.DLL
    COMDLG32.DLL 7fe00000 212992 C:\WINDOWS\SYSTEM\COMDLG32.DLL 5.50.4134.100 DLL voor gedeelde dialoogvensters
    AUHOOK.DLL 2770000 36864 C:\WINDOWS\SYSTEM\AUHOOK.DLL 5.4.1083.11 Microsoft AutoUpdate
    WEBCHECK.DLL 70320000 274432 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4134.600 Website Monitor
    ACTXPRXY.DLL 703b0000 94208 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4134.600 ActiveX Interface Marshaling Library
    IMM32.DLL bfe00000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.90.3000 Win32 IMM32 core component
    MSLS31.DLL 48080000 163840 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
    MSIMTF.DLL 60280000 176128 C:\WINDOWS\SYSTEM\MSIMTF.DLL 1.00.2409.7 built by: Lab06_N Active IMM Server DLL
    SHDOCLC.DLL 71820000 417792 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4134.600 Objecten- en besturingselementenbibliotheek Shell Doc
    MSCTF.DLL.MUI 36d0000 12288 C:\WINDOWS\MUI\FALLBACK\0413\MSCTF.DLL.MUI 1.00.2409.7 built by: Lab06_N DLL-bestand voor MSUIM-server
    MYDOCS.DLL 77770000 81920 C:\WINDOWS\SYSTEM\MYDOCS.DLL 5.50.4134.100 De gebruikersinterface van de map Mijn documenten
    RASAPI32.DLL 7f780000 253952 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.90.3000 DLL-bestand van Inbelnetwerk
    WSOCK32.DLL 731c0000 36864 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.90.3000 BSD Socket API for Windows
    MSWSOCK.DLL 77960000 81920 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.90.3000 Microsoft WinSock Extension APIs
    WS2_32.DLL 73200000 69632 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.90.3000 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 731f0000 20480 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.90.3000 Windows Socket 2.0 Helper for Windows 98
    SECUR32.DLL 7f760000 69632 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.90.3000 Microsoft Win32 Security Services (Export Version)
    SVRAPI.DLL 7f850000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.90.3000 32-bit common Server API library
    MSNET32.DLL 7fa20000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.90.3000 Microsoft 32-bits Netwerk-API-bibliotheek
    MSPWL32.DLL 7fa60000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.90.3000 Password list management library
    NETAPI32.DLL 7f890000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.90.3000 32-bit network API DLL
    NETBIOS.DLL 7f730000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
    MPR.DLL 7f120000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.90.3000 WIN32 Netwerk-interface-DLL
    WININET.DLL 70200000 491520 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4134.600 Internet-extensies voor Win32
    TAPI32.DLL 7f860000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.90.3000 Microsoft® Windows(TM) Telephony API Client DLL
    RPCRT4.DLL 7faa0000 344064 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.3335 Remote Procedure Call DLL
    OLEAUT32.DLL 7fe80000 610304 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4515
    MSHTML.DLL 70c30000 2756608 C:\WINDOWS\SYSTEM\MSHTML.DLL 5.50.4134.600 Microsoft (R) HTML-viewer
    MLANG.DLL 70420000 557056 C:\WINDOWS\SYSTEM\MLANG.DLL 5.50.4134.600 Multi Language Support DLL
    URLMON.DLL 70290000 466944 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4134.600 OLE32-extensies voor Win32
    VERSION.DLL bfe50000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.90.3000 Win32 VERSION core component
    BROWSEUI.DLL 71110000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4134.600 Shell Browser-bibliotheek voor gebruikersinterface
    OLE32.DLL 7ff20000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.3328 Microsoft OLE for Windows and Windows NT
    SHDOCVW.DLL 70fe0000 1150976 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4134.600 Objecten- en besturingselementenbibliotheek Shell Doc
    MSCTF.DLL 60000000 290816 C:\WINDOWS\SYSTEM\MSCTF.DLL 1.00.2409.9 built by: Lab06_N MSUIM Server DLL
    SHELL32.DLL 7fbc0000 2306048 C:\WINDOWS\SYSTEM\SHELL32.DLL 5.50.4134.100 Gemeenschappelijk DLL-bestand van Windows Shell
    MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft (R) C Runtime Library
    EXPLORER.EXE 400000 225280 C:\WINDOWS\EXPLORER.EXE 5.50.4134.100 Windows Verkenner
    COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
    SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell lichtgewicht hulpprogrammabilbliotheek
    USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
    GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
    ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
    KERNEL32.DLL bff60000 544768 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel-kerncomponent


    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    MSCTF.DLL 60000000 290816 C:\WINDOWS\SYSTEM\MSCTF.DLL 1.00.2409.9 built by: Lab06_N MSUIM Server DLL
    IEXPLORE.EXE 400000 73728 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 5.50.4134.600 Internet Explorer
    SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell lichtgewicht hulpprogrammabilbliotheek
    USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
    GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
    ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
    KERNEL32.DLL bff60000 544768 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel-kerncomponent
    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    MSCTF.DLL 60000000 290816 C:\WINDOWS\SYSTEM\MSCTF.DLL 1.00.2409.9 built by: Lab06_N MSUIM Server DLL
    IEXPLORE.EXE 400000 73728 C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 5.50.4134.600 Internet Explorer
    SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell lichtgewicht hulpprogrammabilbliotheek
    USER32.DLL bff40000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.90.3000 Win32 USER32 core component
    GDI32.DLL bff10000 172032 C:\WINDOWS\SYSTEM\GDI32.DLL 4.90.3000 Win32 GDI core component
    ADVAPI32.DLL bfe60000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.90.3000 Win32 ADVAPI32 core component
    KERNEL32.DLL bff60000 544768 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.90.3000 Win32 Kernel-kerncomponent


    When I browse to the unwanted startpage AVGuard give me the following warnings:

    The File "c:\XDLD17.EXE"
    The File "c:\system\XDLD24.EXE"
    The File "c:\recycled\1.EXE"

    Contains the code of the virus "TR/small.Dld.F0"

    It looks like my PC has been infected with an virus
    Any suggestions how to remove it

    Thank you
     
    Last edited: Jun 3, 2004
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\SYSTEM32\SYSTEM32.DLL
    c:\XDLD17.EXE"
    c:\system\XDLD24.EXE"
    c:\recycled\1.EXE"
    C:\WINDOWS\system32\wintime.exe

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete it all
    then
    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.


    then
    download this file https://www.wilderssecurity.com/attachment.php?attachmentid=137126
    hit 'save as'
    give it the name 'clear.reg'
    under the filename set file types to all files.
    save it to the desktop.

    After done double click the clear.reg
    when asked to merge say yes


    then post a new hijackthis log to check what is left
     
  5. Chiko42

    Chiko42 Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Derek,

    I didn't install all critical updates yet, but here is the new hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 23:49:43, on 3-6-2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ANVSHELL.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hetnet.nl/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Herinneringen van Microsoft Works Agenda.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: Tiscali.lnk = C:\Program Files\Tiscali\TisConnectionCheck.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Startup: Notities Corel Family & Friends.LNK = C:\Corel\Print House Magic\cffrem.exe
    O4 - Startup: Doorgaan met Windows Update-installatie.lnk = C:\WINDOWS\Windows Update Setup-bestanden\ie6setup.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mycom.nl
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38111.1139467593
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.